Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 92639 invoked from network); 5 Jun 2008 07:22:57 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 5 Jun 2008 07:22:57 -0000 Received: (qmail 25647 invoked by uid 500); 5 Jun 2008 07:22:47 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 25623 invoked by uid 500); 5 Jun 2008 07:22:47 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 25612 invoked by uid 99); 5 Jun 2008 07:22:47 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jun 2008 00:22:47 -0700 X-ASF-Spam-Status: No, hits=1.2 required=10.0 tests=SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [82.223.190.45] (HELO llsc093-a04.servidoresdns.net) (82.223.190.45) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 05 Jun 2008 07:21:57 +0000 Received: from [192.168.0.15] (unknown [87.235.61.132]) by smtp-04.servidoresdns.net (Postfix) with ESMTP id 9D1D981B16 for ; Thu, 5 Jun 2008 09:22:12 +0200 (CEST) Message-ID: <48479424.4010902@ival.com> Date: Thu, 05 Jun 2008 09:22:12 +0200 From: Luis Pascual Forner Organization: IVAL =?ISO-8859-1?Q?inform=E1tica_=3Chttp=3A//www=2Eival=2E?= =?ISO-8859-1?Q?com=3E?= User-Agent: Thunderbird 2.0.0.12 (X11/20080226) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Authenticate with X509 certification References: <48465C00.503@ival.com> <48478FD7.7020707@ival.com> In-Reply-To: <48478FD7.7020707@ival.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org More information: If I use Internet Explorer, in the log appears: java.net.SocketException: Socket Closed at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:201) at java.net.Socket.setSoTimeout(Socket.java:997) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(SSLSocketImpl.java:2047) at org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Support.java:99) at org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:67) at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:121) at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1131) at org.apache.coyote.Request.action(Request.java:349) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:138) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:491) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:117) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:108) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:174) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:874) at org.apache.coyote.http11.Http11BaseProtocol$Http11ConnectionHandler.processConnection(Http11BaseProtocol.java:665) at org.apache.tomcat.util.net.PoolTcpEndpoint.processSocket(PoolTcpEndpoint.java:528) at org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:81) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:689) at java.lang.Thread.run(Thread.java:619) But not if I use Firefox with Linux. Luis Pascual Forner escribi�: > Thanks, Bill, > I use the JIO connector. > That's my server.xml: > > > > > > className="org.apache.catalina.mbeans.ServerLifecycleListener" /> > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" /> > className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/> > > > > > > type="org.apache.catalina.UserDatabase" > description="User database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > pathname="conf/tomcat-users.xml" /> > > > > > > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" redirectPort="8443" acceptCount="100" > connectionTimeout="20000" disableUploadTimeout="true" /> > disableUploadTimeout="true" keystoreFile="/XXXXXXXXX/xxxxx.p12" > keystorePass="XXXXXX" keystoreType="PKCS12" port="8443" scheme="https" > secure="true" sslProtocol="TLS" > truststoreFile="/XXXXXXXXXXXXXXX/trustcacerts" truststorePass="XXXXXXX" > truststoreType="JKS"/> > > enableLookups="false" redirectPort="8443" > protocol="AJP/1.3" /> > > > > > > > unpackWARs="true" autoDeploy="true" > xmlValidation="false" xmlNamespaceAware="false"> > > > allowLinking="true" /> > > > > > > > > > > > > Bill Barker escribi�: >> "Luis Pascual Forner" wrote in message >> news:48465C00.503@ival.com... >>> Hi, >>> >>> I need autheticate ONLY with client certificate (i.e., I don't want >>> to check any user's database) . I did that follow: >>> >>> 1. I write a "X509Realm", with a method "authenticate" that >>> only check the validity of each certificate in the >>> certification's chain (don't check if the user exists in >>> any database). >>> 2. Declare this new class in >>> "org/apache/catalina/realm/mbeans-descriptors.xml" and >>> "rg/apache/catalina/mbeans/mbeans-descriptors.xml". >>> 3. Edit "server.xml" and configure the realm. >>> 4. Edit "web.xml" to set the auth-method to "CLIENT-CERT" >>> 5. Put "X509Realm.class" and "mbeans-descriptors.xml" in >>> "server/classes", with the correct path. >>> 6. Restart Tomcat. >>> >>> Now, I can authenticate with X509 certificate, and get the >>> client certificate with >>> getAttribute("javax.servlet.request.X509Certificate"). But, >>> sometimes, this method returns null. Why? >>> >> >> Almost certainly means that the client didn't send a cert. But more >> info on your setup would get a better response. For example are you >> using the APR or the JIO Connector? >> >>> regards >>> >>> --------------------------------------------------------------------- >>> To start a new topic, e-mail: users@tomcat.apache.org >>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >>> For additional commands, e-mail: users-help@tomcat.apache.org >>> >>> >> >> >> >> >> --------------------------------------------------------------------- >> To start a new topic, e-mail: users@tomcat.apache.org >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org >> >> > > --------------------------------------------------------------------- > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org