tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Luis Pascual Forner <lpasc...@ival.com>
Subject Re: Authenticate with X509 certification
Date Thu, 05 Jun 2008 07:22:12 GMT
More information:

If I use Internet Explorer, in the log appears:

java.net.SocketException: Socket Closed
         at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201)
         at java.net.Socket.setSoTimeout(Socket.java:997)
         at 
com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2047)
         at 
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:99)
         at 
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67)
         at 
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121)
         at 
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131)
         at org.apache.coyote.Request.action(Request.java:349)
         at 
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138)
         at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491)
         at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
         at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117)
         at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108)
         at 
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174)
         at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874)
         at 
org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665)
         at 
org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528)
         at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81)
         at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689)
         at java.lang.Thread.run(Thread.java:619)


But not if I use Firefox with Linux.

Luis Pascual Forner escribió:
> Thanks, Bill,
> I use the JIO connector.
> That's my server.xml:
> 
> <?xml version="1.0" encoding="UTF-8"?>
> <Server port="8006" shutdown="SHUTDOWN">
> 
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>   <Listener 
> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>   <Listener 
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>   <Listener 
> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
> 
>   <GlobalNamingResources>
> 
>     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
> 
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>        description="User database that can be updated and saved"
>            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>           pathname="conf/tomcat-users.xml" />
> 
>   </GlobalNamingResources>
> 
>   <Service name="Catalina">
> 
>     <Connector port="8081" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8443" acceptCount="100"
>                connectionTimeout="20000" disableUploadTimeout="true" />
>     <Connector acceptCount="100" clientAuth="false" 
> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" 
> secure="true" sslProtocol="TLS" 
> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" truststorePass="XXXXXXX" 
> truststoreType="JKS"/>
> 
>     <Connector port="8010"
>                enableLookups="false" redirectPort="8443" 
> protocol="AJP/1.3" />
> 
>     <Engine name="Catalina" defaultHost="localhost">
> 
> 
>       <Realm className="com.ival.tomcat.X509Realm" debug="0" />
> 
>       <Host name="localhost" appBase="webapps"
>        unpackWARs="true" autoDeploy="true"
>        xmlValidation="false" xmlNamespaceAware="false">
> 
>       <Context docBase="cavi" path="/cavi" reloadable="true" />
>       <Context docBase="x509" path="/x509" reloadable="true" 
> allowLinking="true" />
> 
>       </Host>
> 
>     </Engine>
> 
>   </Service>
> 
> </Server>
> 
> 
> 
> Bill Barker escribió:
>> "Luis Pascual Forner" <lpascual@ival.com> wrote in message 
>> news:48465C00.503@ival.com...
>>> Hi,
>>>
>>>   I need autheticate ONLY with client certificate (i.e., I don't want
>>> to check any user's database) . I did that follow:
>>>
>>>   1. I write a "X509Realm", with a method "authenticate" that
>>>      only check the validity of each certificate in the
>>>      certification's chain (don't check if the user exists in
>>>      any database).
>>>   2. Declare this new class in
>>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>>   3. Edit "server.xml" and configure the realm.
>>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>>      "server/classes", with the correct path.
>>>   6. Restart Tomcat.
>>>
>>>   Now, I can authenticate with X509 certificate, and get the
>>> client certificate with
>>> getAttribute("javax.servlet.request.X509Certificate"). But,
>>> sometimes, this method returns null. Why?
>>>
>>
>> Almost certainly means that the client didn't send a cert.  But more 
>> info on your setup would get a better response.  For example are you 
>> using the APR or the JIO Connector?
>>
>>> regards
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message