tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Kathryn Cassidy <>
Subject Tomcat 6 CombinedRealm not trying all realms
Date Thu, 06 Aug 2009 14:27:11 GMT
Hi there,

I'm having a problem with Tomcat 6.0.20 when attempting to configure
CombinedRealm authentication.  I'm running on a Centos 5 machine.

I want to set up certificate auth with form fallback using the class
provided here
Certificate DNs are stored in the users table of a mysql database, along
with user login names and passwords to be used if the form fallback is
required.  (note, this is not really relevant to the problem! I just
want to make sure you understand the setup I'm trying to implement, at
the moment for testing purposes I have not configured the
SSLWithFORMFallback Valve, I'm just using plain old CLIENT-CERT as my

Thus I need to have two realms, one which uses the DN as the username and
the other which uses the standard login username, because nobody is
going to log in using their certificate DN as their user name.

server.xml contains the following
        <Realm className="org.apache.catalina.realm.CombinedRealm" >

        <Realm className="org.apache.catalina.realm.DataSourceRealm"
                userTable="users" userNameCol="user_name"
                userRoleTable="user_roles" roleNameCol="role_name"

        <Realm className="org.apache.catalina.realm.DataSourceRealm"
                userTable="users" userNameCol="user_dn"
                userRoleTable="user_roles" roleNameCol="role_name"


While webapps/elgrid/META-INF/context.xml is quoted in full below
<?xml version='1.0' encoding='utf-8'?>

  <Resource name="elgriddb" auth="Container" type="javax.sql.DataSource"
               maxActive="100" maxIdle="30" maxWait="10000"
               username="elgrid" password="elgrid"


I have turned on mysql debug logging in order to see if requests are
hitting the database and I can see that when I authenticate with my
certificate the first Realm is being used, and I see the following
queries hit the DB:

SELECT user_pass FROM users WHERE user_name = 'CN=Kathryn Cassidy,
L=Something, OU=blah blah, etc.'

SELECT role_name FROM user_roles WHERE user_name = 'CN=Kathryn Cassidy,
L=Something, OU=blah blah, etc.'

but authentication fails because it is looking for the DN in the
user_name column.  I think expected behavior should be that it then
tries the second Realm which uses the user_dn field as userNameCol and
this time it should succeed. However, I never see the second set of
auth queries reach the database and I am denied access.

If I put the second Realm definition first in the list then I can
successfully authenticate, so there is nothing wrong with the definition
itself, it appears that it is simply not attempting to authenticate with
the second realm.

I tried using JDBCRealm instead of DataSourceRealm and the effect was
the same.  However, things did seem to work when I put MemoryRealm first
in the list of Realms, followed by either a JDBCRealm or
DataSourceRealm.  I was able to authenticate off the MemoryRealm, or if
it failed to authenticate I could still authenticate off the second
realm.  It just doesn't seem to work with the other Realm types.

According to the documentation it is supposed to work with two Realms of
the same type (and I tried one JDBC and one DataSource realm anyway,
just to be sure, same result).  I'm running out of ideas.  Has anyone
seen this sort of problem before?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message