tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Gronosky <agron...@bbn.com>
Subject Re: Client certificates not authenticated by realm
Date Mon, 01 Dec 2014 21:32:43 GMT
Problem solved.

The issue was tomcat-users.xml should contain the client's CN as the 
user name, like this:

<tomcat-users>
<role name="seureconn" />
<user username="CN=client1, OU=Application Development, O=GoSmarter, 
L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/>
</tomcat-users>

So Chris was definitely on the right track when he (I assume, maybe 
incorrectly, "Chris" is male) inquired about the CNs in my client certs.

Thanks again, Chris!

-Andrew Gronosky




On 2014-12-01 15:14, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Andrew,
>
> On 12/1/14 2:33 PM, Andrew Gronosky wrote:
>> Hello,
>>
>> I am trying to set up client-certificate authentication for Tomcat
>> 7.0.57. I have read the basics in the docs and I have my
>> configuration working up to a point.
>>
>> My problem is that Tomcat accepts the client's connection, but
>> returns HTTP status 401 for pages the user is supposed to be
>> authorized to access.
>>
>> I am confident the certificates and key store etc. are set up
>> properly because the TLS connection works with a trusted client
>> certificate and not with an untrusted one. :-)
>>
>> Some relevant snippets from the configuration files:
>>
>> web.xml from my web app divides the web resources into several
>> collections, one of which requires no authentication at all and
>> others require the user to belong to a particular role. For
>> example:
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Public Interface</web-resource-name>
>> <url-pattern>/index.html</url-pattern> ... etc ...
>> </web-resource-collection> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint> </security-constraint>
>>
>>
>> <security-constraint> <web-resource-collection>
>> <web-resource-name>Administrator Only</web-resource-name>
>> <url-pattern>/admin.html</url-pattern> ... etc ...
>> </web-resource-collection> <auth-constraint>
>> <role-name>administrator</role-name> </auth-constraint>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint> </security-constraint>
>>
>> The Connector is set up in server.xml as:
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> clientAuth="true" maxThreads="150" scheme="https" secure="true"
>> keystoreFile="${catalina.home}/conf/testServer.jks"
>> keystorePass="changeit"
>> truststoreFile="${catalina.home}/conf/truststore.jks"
>> truststorePass="changeit" sslProtocol="TLSv1.2" />
>>
>> And finally, my Realm is a UserDatabaseRealm: <Realm
>> className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase" digest="sha"/>
>>
>> tomcat-users.xml looks something like this:
>>
>> <tomcat-users> <role rolename="user" /> <!-- System administrators
>> --> <role rolename="administrator" /> <!-- System administrators
>> --> <user username="testClient_1" password="****redacted***"
>> roles="user" /> <user username="testClient_2"
>> password="****redacted***" roles="administrator" />
>> </tomcat-users>
>>
>> Again, the symptom I am seeing is that a browser with the
>> testClient_2 certificate installed can connect to the web app and
>> access index.html, but gets an HTTP 401 error trying to access
>> admin.html.
>>
>> Does anyone have suggestions what I might be overlooking or how I
>> could isolate the cause?
> What do the CNs look like for your client certs?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
>
> iQIcBAEBCAAGBQJUfMwkAAoJEBzwKT+lPKRYVjMP/28BYJZV9d5yWDfwIE5yxFAQ
> RvNGsIH+cbS7Oq0XKLkAImQiiNxWl02kWGEgK4WgmWcXHfMQS+MC4GjGplEUmMts
> cpBjCp0gad0yQ95pG62Xna1EoeVpkkOTuLFfr08Rp1YFgkTNiXLFLvoeFNKf1WqL
> 8y6RsslGGLHJQIPs3WkXM+s9PiO0ylDxBjoxUZpjJ8A+Dn7KtO1A5OuMoWKK2l9g
> C8RzGYvblGnZNJtkmgQcuc6P9f3geug0zXsvS1uRY3kohIXREtEq2hPxYEaqh+Dh
> lHoliseJPqaSDX6VKxiGJxMk5CmdHouFq3xdGqU3B2/OeUV5koLbc1IsaLlrg5LN
> pY+GiieaHvZAENd/8k7XhfVT9p5zneHyfOPFarRJbdvbbUfPw0lEjdR8td8LG/rQ
> 5t3Dh21pasGh5HU3wRMWB/3I+RifpNt/dC8DpLf6KqSITpXXNsPK0l/26kdrT9z4
> aigdbAIXJPQDIAFYwLZjtva3WfgOOr/2j3d19Ggob4EdyS1N24AG8NWoV62FaRH/
> lwsfQR9KCg1JFDx4bCm/6tX9x0M/0TcIp6xoQBLWkddZR+Mz6QNzffA/JKIPNIfb
> ef5TQCymlpHQzEAGhLMXkkmpGixPFyT4lBzoHp/uWZPCYHTqJkRlKrFpp5wvvQnb
> ZbZWjop0fNM/tuAv+Gx2
> =japw
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

-- 
Andrew Gronosky
Raytheon BBN Technologies
10 Moulton Street
Cambridge, MA 02138

voice: 617-873-3486


Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message