tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Pascual Forner <lpasc...@ival.com>
Subject Re: Authenticate with X509 certification
Date Thu, 05 Jun 2008 07:03:51 GMT
Thanks, Bill,
I use the JIO connector.
That's my server.xml:

<?xml version="1.0" encoding="UTF-8"?>
<Server port="8006" shutdown="SHUTDOWN">

   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
   <Listener 
className="org.apache.catalina.mbeans.ServerLifecycleListener" />
   <Listener 
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
   <Listener 
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>

   <GlobalNamingResources>

     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>

     <Resource name="UserDatabase" auth="Container"
               type="org.apache.catalina.UserDatabase"
        description="User database that can be updated and saved"
            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
           pathname="conf/tomcat-users.xml" />

   </GlobalNamingResources>

   <Service name="Catalina">

     <Connector port="8081" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" redirectPort="8443" acceptCount="100"
                connectionTimeout="20000" disableUploadTimeout="true" />
     <Connector acceptCount="100" clientAuth="false" 
disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" 
secure="true" sslProtocol="TLS" 
truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" truststorePass="XXXXXXX" 
truststoreType="JKS"/>

     <Connector port="8010"
                enableLookups="false" redirectPort="8443" 
protocol="AJP/1.3" />

     <Engine name="Catalina" defaultHost="localhost">


       <Realm className="com.ival.tomcat.X509Realm" debug="0" />

       <Host name="localhost" appBase="webapps"
        unpackWARs="true" autoDeploy="true"
        xmlValidation="false" xmlNamespaceAware="false">

       <Context docBase="cavi" path="/cavi" reloadable="true" />
       <Context docBase="x509" path="/x509" reloadable="true" 
allowLinking="true" />

       </Host>

     </Engine>

   </Service>

</Server>



Bill Barker escribió:
> "Luis Pascual Forner" <lpascual@ival.com> wrote in message 
> news:48465C00.503@ival.com...
>> Hi,
>>
>>   I need autheticate ONLY with client certificate (i.e., I don't want
>> to check any user's database) . I did that follow:
>>
>>   1. I write a "X509Realm", with a method "authenticate" that
>>      only check the validity of each certificate in the
>>      certification's chain (don't check if the user exists in
>>      any database).
>>   2. Declare this new class in
>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>   3. Edit "server.xml" and configure the realm.
>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>      "server/classes", with the correct path.
>>   6. Restart Tomcat.
>>
>>   Now, I can authenticate with X509 certificate, and get the
>> client certificate with
>> getAttribute("javax.servlet.request.X509Certificate"). But,
>> sometimes, this method returns null. Why?
>>
> 
> Almost certainly means that the client didn't send a cert.  But more info on 
> your setup would get a better response.  For example are you using the APR 
> or the JIO Connector?
> 
>> regards
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message