tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Gronosky <agron...@bbn.com>
Subject Client certificates not authenticated by realm
Date Mon, 01 Dec 2014 19:33:21 GMT
Hello,

I am trying to set up client-certificate authentication for Tomcat 
7.0.57. I have read the basics in the docs and I have my configuration 
working up to a point.

My problem is that Tomcat accepts the client's connection, but returns 
HTTP status 401 for pages the user is supposed to be authorized to access.

I am confident the certificates and key store etc. are set up properly 
because the TLS connection works with a trusted client certificate and 
not with an untrusted one. :-)

Some relevant snippets from the configuration files:

web.xml from my web app divides the web resources into several 
collections, one of which requires no authentication at all and others 
require the user to belong to a particular role. For example:

<security-constraint>
     <web-resource-collection>
       <web-resource-name>Public Interface</web-resource-name>
            <url-pattern>/index.html</url-pattern>
             ... etc ...
      </web-resource-collection>
     <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>


<security-constraint>
     <web-resource-collection>
       <web-resource-name>Administrator Only</web-resource-name>
            <url-pattern>/admin.html</url-pattern>
             ... etc ...
      </web-resource-collection>
  <auth-constraint>
       <role-name>administrator</role-name>
     </auth-constraint>
     <user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
     </user-data-constraint>
   </security-constraint>

The Connector is set up in server.xml as:

     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                clientAuth="true"
                maxThreads="150" scheme="https" secure="true"
                keystoreFile="${catalina.home}/conf/testServer.jks" 
keystorePass="changeit"
                truststoreFile="${catalina.home}/conf/truststore.jks" 
truststorePass="changeit"
                sslProtocol="TLSv1.2" />

And finally, my Realm is a UserDatabaseRealm:
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                resourceName="UserDatabase" digest="sha"/>

tomcat-users.xml looks something like this:

<tomcat-users>
  <role rolename="user" /> <!-- System administrators -->
  <role rolename="administrator" /> <!-- System administrators -->
  <user username="testClient_1" password="****redacted***" roles="user" />
  <user username="testClient_2" password="****redacted***" 
roles="administrator" />
</tomcat-users>

Again, the symptom I am seeing is that a browser with the testClient_2 
certificate installed can connect to the web app and access index.html, 
but gets an HTTP 401 error trying to access admin.html.

Does anyone have suggestions what I might be overlooking or how I could 
isolate the cause?

Thanks,

-- 
Andrew Gronosky


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message