tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ahuelsing <ahuels...@onlinehome.de>
Subject Re: Authenticate with X509 certification
Date Thu, 05 Jun 2008 10:59:54 GMT
Hi,

you have to set clientAuth="true"

andreas

Luis Pascual Forner schrieb:
> Thanks, Bill,
> I use the JIO connector.
> That's my server.xml:
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Server port="8006" shutdown="SHUTDOWN">
>
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" />
>   <Listener 
> className="org.apache.catalina.mbeans.ServerLifecycleListener" />
>   <Listener 
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
> />
>   <Listener 
> className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> 
>
>
>   <GlobalNamingResources>
>
>     <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
>     <Resource name="UserDatabase" auth="Container"
>               type="org.apache.catalina.UserDatabase"
>        description="User database that can be updated and saved"
>            factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>           pathname="conf/tomcat-users.xml" />
>
>   </GlobalNamingResources>
>
>   <Service name="Catalina">
>
>     <Connector port="8081" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>                enableLookups="false" redirectPort="8443" 
> acceptCount="100"
>                connectionTimeout="20000" disableUploadTimeout="true" />
>     <Connector acceptCount="100" clientAuth="false" 
> disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" 
> keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" 
> secure="true" sslProtocol="TLS" 
> truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" 
> truststorePass="XXXXXXX" truststoreType="JKS"/>
>
>     <Connector port="8010"
>                enableLookups="false" redirectPort="8443" 
> protocol="AJP/1.3" />
>
>     <Engine name="Catalina" defaultHost="localhost">
>
>
>       <Realm className="com.ival.tomcat.X509Realm" debug="0" />
>
>       <Host name="localhost" appBase="webapps"
>        unpackWARs="true" autoDeploy="true"
>        xmlValidation="false" xmlNamespaceAware="false">
>
>       <Context docBase="cavi" path="/cavi" reloadable="true" />
>       <Context docBase="x509" path="/x509" reloadable="true" 
> allowLinking="true" />
>
>       </Host>
>
>     </Engine>
>
>   </Service>
>
> </Server>
>
>
>
> Bill Barker escribió:
>> "Luis Pascual Forner" <lpascual@ival.com> wrote in message 
>> news:48465C00.503@ival.com...
>>> Hi,
>>>
>>>   I need autheticate ONLY with client certificate (i.e., I don't want
>>> to check any user's database) . I did that follow:
>>>
>>>   1. I write a "X509Realm", with a method "authenticate" that
>>>      only check the validity of each certificate in the
>>>      certification's chain (don't check if the user exists in
>>>      any database).
>>>   2. Declare this new class in
>>>      "org/apache/catalina/realm/mbeans-descriptors.xml" and
>>>      "rg/apache/catalina/mbeans/mbeans-descriptors.xml".
>>>   3. Edit "server.xml" and configure the realm.
>>>   4. Edit "web.xml" to set the auth-method to "CLIENT-CERT"
>>>   5. Put "X509Realm.class" and "mbeans-descriptors.xml" in
>>>      "server/classes", with the correct path.
>>>   6. Restart Tomcat.
>>>
>>>   Now, I can authenticate with X509 certificate, and get the
>>> client certificate with
>>> getAttribute("javax.servlet.request.X509Certificate"). But,
>>> sometimes, this method returns null. Why?
>>>
>>
>> Almost certainly means that the client didn't send a cert.  But more 
>> info on your setup would get a better response.  For example are you 
>> using the APR or the JIO Connector?
>>
>>> regards
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message