Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org Received: (qmail 33928 invoked from network); 28 Sep 2005 19:41:45 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur.apache.org with SMTP; 28 Sep 2005 19:41:45 -0000 Received: (qmail 75308 invoked by uid 500); 28 Sep 2005 19:41:30 -0000 Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org Received: (qmail 75291 invoked by uid 500); 28 Sep 2005 19:41:30 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 75262 invoked by uid 99); 28 Sep 2005 19:41:29 -0000 Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Sep 2005 12:41:29 -0700 X-ASF-Spam-Status: No, hits=0.0 required=10.0 tests=RCVD_BY_IP,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (asf.osuosl.org: domain of jamesrome@gmail.com designates 64.233.162.204 as permitted sender) Received: from [64.233.162.204] (HELO zproxy.gmail.com) (64.233.162.204) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 28 Sep 2005 12:41:36 -0700 Received: by zproxy.gmail.com with SMTP id v1so120693nzb for ; Wed, 28 Sep 2005 12:41:08 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:user-agent:x-accept-language:mime-version:to:subject:content-type:content-transfer-encoding; b=gA1Z72h3EBwjKWiA5t6boPy6pCCrH5xa1GNk93yljG9b+ZDwTy470t1iwe/7cieVdR8kdLpyOomd51rRUb/Jrh/YzWlI0p6RswEN7LsyMjyY15Ma3sRcnUUAOFioce+7KitrDrllHMgqZiwqpgXXzQR2PIZLzWysG54q0XUySy4= Received: by 10.36.33.15 with SMTP id g15mr4294829nzg; Wed, 28 Sep 2005 12:41:07 -0700 (PDT) Received: from ?192.168.1.12? ( [69.252.163.51]) by mx.gmail.com with ESMTP id 10sm574372nzo.2005.09.28.12.41.04; Wed, 28 Sep 2005 12:41:07 -0700 (PDT) Message-ID: <433AF1D1.4090705@gmail.com> Date: Wed, 28 Sep 2005 15:41:05 -0400 From: James Rome User-Agent: Mozilla Thunderbird 1.0.2 (Windows/20050317) X-Accept-Language: en-us, en MIME-Version: 1.0 To: tomcat-user@jakarta.apache.org Subject: Realms and certificates Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N None of the standard realms do certificates properly. For example, o.a.c.authenticator.SSLAuthenticator.java does not check to see if a certificate has been revoked. The LDAP realm compares the presented certificate to the one in the LDAP which puts a burden on the LDAP to unpublish revoked certificates. This is also rather unnecessary because given the CA certifdicate and the OCSP address, any presented certificate can be authenticated properly. So I write my own Realm by extending RealmBase and modifying the public Principal authenticate(X509Certificate certs[]) method. I put this realm inside the tag and commented out the userdatabase realm. But, so far as I can tell, my authenticate method is never called. Print statements (using the 5.5 log techniques) only appear from the start() method, never from authenticate(). And I can get in with revoked client certificates. Does anyone have an idea of what is happening? How can I debug this? Thanks, Jim Rome --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org