tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Duan, Nick" <ND...@mcdonaldbradley.com>
Subject RE: Tomcat and client certificates
Date Wed, 01 Feb 2006 15:25:31 GMT
The clientAuth attribute of the connector has to be set to true.  Then
you will need a client cert to access resources under /html/*, but not
other pages.  See the Tomcat SSL guide on how to create the client cert.

ND

-----Original Message-----
From: Markus [mailto:axianx@googlemail.com] 
Sent: Wednesday, February 01, 2006 9:22 AM
To: Tomcat Users List
Subject: Re: Tomcat and client certificates

Setting clientAuth to true / false in the Connector configuration
works fine, but how do I configure client authenticaton on a
per-directory or even per-servlet basis?

This is my current configuration:

In server.xml:
    <Connector port="8443"
               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" debug="0" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="\...\keystore.jks" keystorePass="wonttell"
               truststoreFile="\...\truststore.jks"
truststorePass="wonttell"
               />

In web.xml:
	<security-constraint>
		<web-resource-collection>
			<url-pattern>/html/*</url-pattern>
		</web-resource-collection>
		<auth-constraint/>
		<user-data-constraint/>
	</security-constraint>
	<login-config>
		<auth-method>CLIENT-CERT</auth-method>
	</login-config>

And here are the results I get:

https://domain/anypage : OK
https://domain/html/anypage : HTTP Status 403 - Access to the
requested resource has been denied

The logfile says:

01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action
WARNING: Exception getting SSL Cert
java.net.SocketException: Socket Closed

What's wrong with my configuration?

Markus

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message