Return-Path: 
 <users-return-248235-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id E94411049B
	for <apmail-tomcat-users-archive@www.apache.org>;
 Sat,  3 May 2014 23:31:47 +0000 (UTC)
Received: (qmail 14684 invoked by uid 500); 3 May 2014 23:31:43 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 14566 invoked by uid 500); 3 May 2014 23:31:43 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 14557 invoked by uid 99); 3 May 2014 23:31:43 -0000
Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 May 2014 23:31:43 +0000
X-ASF-Spam-Status: No, hits=1.7 required=5.0
	tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (nike.apache.org: domain of dhayamoorthi2013@gmail.com
 designates 209.85.212.176 as permitted sender)
Received: from [209.85.212.176] (HELO mail-wi0-f176.google.com)
 (209.85.212.176)
    by apache.org (qpsmtpd/0.29) with ESMTP; Sat, 03 May 2014 23:31:39 +0000
Received: by mail-wi0-f176.google.com with SMTP id n15so1195766wiw.9
        for <users@tomcat.apache.org>; Sat, 03 May 2014 16:31:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:date:message-id:subject:from:to:content-type;
        bh=nsjYbybLZ1InX++0SKKqBXksvlMk2u64Byk/sS0KQR8=;
        b=mtSNeS2Y4e0/Bpn0iZswEZmKYEvN9xRydrOOD9QIfjfDtbrQkqL+SunyrebfRd1XaF
         hOrb4ZeOn6Apl5DawELLsa1hVj2DbvRKVYcoqK6DKt9jDV91c+wt1EK0CAyNadRR8/xv
         +o00A9IOsFbKkcsUq1ZQ6hgxqSrgATQZurfalBcW6P3eoLII51JEys95fCZrCI4ZhXWy
         DIv58VDCjNhC/umFQ7HSWD/poW/egw+LcJe4H9cAqx62uGPXZXse0faRTbqdGuqKu9jZ
         +8diLRflaUXAfJc0dpdFwisEBYJB7FlgntlGxFIU7EvHZyoKhuwuwlcbhDWJSY5ndX/V
         TkAw==
MIME-Version: 1.0
X-Received: by 10.180.211.239 with SMTP id nf15mr9188144wic.9.1399159877252;
 Sat, 03 May 2014 16:31:17 -0700 (PDT)
Received: by 10.216.111.3 with HTTP; Sat, 3 May 2014 16:31:17 -0700 (PDT)
Date: Sat, 3 May 2014 19:31:17 -0400
Message-ID: 
 <CACtY-KyfGCj7_xS-FERwUuT9L4Ar+tcz7MLTEK4GYE94rxAHkQ@mail.gmail.com>
Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails
From: Dhayanidhi sundaramoorthi <dhayamoorthi2013@gmail.com>
To: users <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=001a11c264ec77bb1a04f8874b36
X-Virus-Checked: Checked by ClamAV on apache.org

--001a11c264ec77bb1a04f8874b36
Content-Type: text/plain; charset=UTF-8

Hi,

In Tomcat7, we are trying to do client certificate authentication using
datasource realm. But it fails.

Please fnd the configuration below:

server.xml:
----------------
<?xml version="1.0" encoding="UTF-8" standalone="no" ?>
<Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener className="org.apache.catalina.core.JasperListener"/>
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<!-- <GlobalNamingResources><Resource auth="Container" description="User
database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase" pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources> -->
<Service name="Catalina">
<Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000"
keyAlias="masfed_server_dit"
keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di"
maxThreads="150" port="8443"
protocol="org.apache.coyote.http11.Http11Protocol" scheme="https"
secure="true" server="Server" sslProtocol="TLS"
truststorefile="/opt/ADP/keystores/masfed_server_dit.jks"
 truststorepass="sso@di" enablelookups="false"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
<Engine defaultHost="localhost" name="Catalina">
<!-- <Realm className="org.apache.catalina.realm.MemoryRealm"
resourceName="UserDatabase"/> -->
<!--
<Realm className="org.apache.catalina.realm.LockOutRealm"><Realm
className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
-->
<GlobalNamingResources>
<Realm className="org.apache.catalina.realm.DataSourceRealm"
   dataSourceName="jdbc/FederationDS"
   userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD"
   userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99"
 allRolesMode="authOnly" />
</GlobalNamingResources>

<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true"><Valve
className="org.apache.catalina.valves.AccessLogValve" directory="logs"
pattern="%h %l %u %t &quot;%r&quot; %s %b" prefix="localhost_access_log."
suffix=".txt"/>
</Host>
</Engine>
</Service>
</Server>


security role configuration <tomcat_base>/conf/web.xml:
---------------------------------------------------------------------------------

<security-role>
            <role-name>masFedClient</role-name>
         </security-role>
       <security-constraint>
           <web-resource-collection>
             <web-resource-name>all</web-resource-name>
           <url-pattern>/*</url-pattern>
         </web-resource-collection>
         <auth-constraint>
            <role-name>masFedClient</role-name>
          </auth-constraint>
          <user-data-constraint>
             <transport-guarantee>CONFIDENTIAL</transport-guarantee>
         </user-data-constraint>
     </security-constraint>
     <login-config>
         <auth-method>CLIENT-CERT</auth-method>
        <!--  <realm-name>tomcat-users</realm-name> -->
         <realm-name>jdbc/FederationDS</realm-name>
     </login-config>

Database has all the required tables and columns.

But authentication fails with the below mentioned error:

FINE:  Checking validity for
'$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE:  Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL
SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign
Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate
FINE:  Checking validity for 'CN=VeriSign Class 3 Public Primary
Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized
use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US'
May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal
FINE: Got user name from X509 certificate:
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase
invoke
FINE:  Failed authenticate() test

For security purpose, I had mad the certificate cn name as $$$$$$$$$$.

The error message does not tell why the authentication is failing.

Do I need to enable additional logs. If so how to enable.

Request your help in fixing this issue.
Any help would be highly appreciated.

Thanks
Dhaya

--001a11c264ec77bb1a04f8874b36--