tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dhayanidhi sundaramoorthi <dhayamoorthi2...@gmail.com>
Subject Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
Date Sat, 03 May 2014 23:31:17 GMT
Hi,

In Tomcat7, we are trying to do client certificate authentication using
datasource realm. But it fails.

Please fnd the configuration below:

server.xml:
----------------
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- <GlobalNamingResources><Resource auth="Container" description="User
database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase" pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources> -->
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
keyAlias="masfed_server_dit"
keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
secure="true" server="Server" sslProtocol="TLS"
truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
 truststorepass="sso@di" enablelookups="false"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
resourceName="UserDatabase"/> -->
<!--
<Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
-->
<GlobalNamingResources>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
   dataSourceName="jdbc/FederationDS"
   userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
   userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
 allRolesMode="authOnly" />
</GlobalNamingResources>

<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true"><Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>


security role configuration <tomcat_base>/conf/web.xml:
---------------------------------------------------------------------------------

<security-role>
            <role-name>masFedClient</role-name>
         </security-role>
       <security-constraint>
           <web-resource-collection>
             <web-resource-name>all</web-resource-name>
           <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
            <role-name>masFedClient</role-name>
          </auth-constraint>
          <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>
     <login-config>
         <auth-method>CLIENT-CERT</auth-method>
        <!--  <realm-name>tomcat-users</realm-name> -->
         <realm-name>jdbc/FederationDS</realm-name>
     </login-config>

Database has all the required tables and columns.

But authentication fails with the below mentioned error:

FINE:  Checking validity for
'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE:  Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE:  Checking validity for 'CN=VeriSign Class 3 Public Primary
Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
FINE: Got user name from X509 certificate:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE:  Failed authenticate() test

For security purpose, I had mad the certificate cn name as $$$$$$$$$$.

The error message does not tell why the authentication is failing.

Do I need to enable additional logs. If so how to enable.

Request your help in fixing this issue.
Any help would be highly appreciated.

Thanks
Dhaya

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message