tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Client certificates not authenticated by realm
Date Mon, 01 Dec 2014 20:14:28 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Andrew,

On 12/1/14 2:33 PM, Andrew Gronosky wrote:
> Hello,
> 
> I am trying to set up client-certificate authentication for Tomcat 
> 7.0.57. I have read the basics in the docs and I have my
> configuration working up to a point.
> 
> My problem is that Tomcat accepts the client's connection, but
> returns HTTP status 401 for pages the user is supposed to be
> authorized to access.
> 
> I am confident the certificates and key store etc. are set up
> properly because the TLS connection works with a trusted client
> certificate and not with an untrusted one. :-)
> 
> Some relevant snippets from the configuration files:
> 
> web.xml from my web app divides the web resources into several 
> collections, one of which requires no authentication at all and
> others require the user to belong to a particular role. For
> example:
> 
> <security-constraint> <web-resource-collection> 
> <web-resource-name>Public Interface</web-resource-name> 
> <url-pattern>/index.html</url-pattern> ... etc ... 
> </web-resource-collection> <user-data-constraint> 
> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
> </user-data-constraint> </security-constraint>
> 
> 
> <security-constraint> <web-resource-collection> 
> <web-resource-name>Administrator Only</web-resource-name> 
> <url-pattern>/admin.html</url-pattern> ... etc ... 
> </web-resource-collection> <auth-constraint> 
> <role-name>administrator</role-name> </auth-constraint> 
> <user-data-constraint> 
> <transport-guarantee>CONFIDENTIAL</transport-guarantee> 
> </user-data-constraint> </security-constraint>
> 
> The Connector is set up in server.xml as:
> 
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
> clientAuth="true" maxThreads="150" scheme="https" secure="true" 
> keystoreFile="${catalina.home}/conf/testServer.jks" 
> keystorePass="changeit" 
> truststoreFile="${catalina.home}/conf/truststore.jks" 
> truststorePass="changeit" sslProtocol="TLSv1.2" />
> 
> And finally, my Realm is a UserDatabaseRealm: <Realm
> className="org.apache.catalina.realm.UserDatabaseRealm" 
> resourceName="UserDatabase" digest="sha"/>
> 
> tomcat-users.xml looks something like this:
> 
> <tomcat-users> <role rolename="user" /> <!-- System administrators
> --> <role rolename="administrator" /> <!-- System administrators
> --> <user username="testClient_1" password="****redacted***"
> roles="user" /> <user username="testClient_2"
> password="****redacted***" roles="administrator" /> 
> </tomcat-users>
> 
> Again, the symptom I am seeing is that a browser with the
> testClient_2 certificate installed can connect to the web app and
> access index.html, but gets an HTTP 401 error trying to access
> admin.html.
> 
> Does anyone have suggestions what I might be overlooking or how I
> could isolate the cause?

What do the CNs look like for your client certs?

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
ZbZWjop0fNM/tuAv+Gx2
=japw
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message