tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lira, Alesio" <l...@ediguay.com.uy>
Subject Difficulty with SSL authentication without client certificate
Date Wed, 26 Nov 2003 16:43:45 GMT
Hello there.

I've tried to configure a security realm for pages; that if a user certificate is present
it will be used, but if it doesn't exist the application will resolve the situation with the
user authentication level already known.
After wrestling with the web.xml parameters and defining a user realm; I have found that Tomcat
( 4.1.27 ) returns a BAD REQUEST; and control is never ever given to the user realm defined.
So, I turned into the source code.


In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've found this :
.
.
.
        if ((certs == null) || (certs.length < 1)) {
            certs = (X509Certificate[])
                request.getRequest().getAttribute(Globals.SSL_CERTIFICATE_ATTR);
        }
         if ((certs == null) || (certs.length < 1)) {
             if (debug >= 1)
                log("  No certificates included with this request");
            hres.sendError(HttpServletResponse.SC_BAD_REQUEST,
                           sm.getString("authenticator.certificates"));
            return (false);
        }

        // Authenticate the specified certificate chain
        principal = context.getRealm().authenticate(certs);
        if (principal == null) {
            if (debug >= 1)
                log("  Realm.authenticate() returned false");
            hres.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                           sm.getString("authenticator.unauthorized"));
            return (false);
.
.
.

So, this is the reason. If there is no client certificates, there is no chance for a user
realm to take control. I commented out the certs == null if; and then everything worked fine.
Even if the authenticator realm were the memory one, it returns a null that is catched by
the last if.

There is another way that I havenĀ“t seen to perform this same task ? One without touching
the catalina.jar ?

This is a feature that is needed at the site I am programming to.

Thanks for your attention.

Alessio Lira

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message