tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Gronosky <>
Subject Client certificates not authenticated by realm
Date Mon, 01 Dec 2014 19:33:21 GMT

I am trying to set up client-certificate authentication for Tomcat 
7.0.57. I have read the basics in the docs and I have my configuration 
working up to a point.

My problem is that Tomcat accepts the client's connection, but returns 
HTTP status 401 for pages the user is supposed to be authorized to access.

I am confident the certificates and key store etc. are set up properly 
because the TLS connection works with a trusted client certificate and 
not with an untrusted one. :-)

Some relevant snippets from the configuration files:

web.xml from my web app divides the web resources into several 
collections, one of which requires no authentication at all and others 
require the user to belong to a particular role. For example:

       <web-resource-name>Public Interface</web-resource-name>
             ... etc ...

       <web-resource-name>Administrator Only</web-resource-name>
             ... etc ...

The Connector is set up in server.xml as:

     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                maxThreads="150" scheme="https" secure="true"
                sslProtocol="TLSv1.2" />

And finally, my Realm is a UserDatabaseRealm:
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
                resourceName="UserDatabase" digest="sha"/>

tomcat-users.xml looks something like this:

  <role rolename="user" /> <!-- System administrators -->
  <role rolename="administrator" /> <!-- System administrators -->
  <user username="testClient_1" password="****redacted***" roles="user" />
  <user username="testClient_2" password="****redacted***" 
roles="administrator" />

Again, the symptom I am seeing is that a browser with the testClient_2 
certificate installed can connect to the web app and access index.html, 
but gets an HTTP 401 error trying to access admin.html.

Does anyone have suggestions what I might be overlooking or how I could 
isolate the cause?


Andrew Gronosky

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message