tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Re: Client certificates Tomcat 4
Date Tue, 06 Nov 2001 07:21:42 GMT
"Craig R. McClanahan" wrote:
> Tomcat does the following processing for CLIENT-CERT authentication:
> * Challenge the client for a certificate chain if necessary
> * Call the Realm.authenticate() method that takes a certificate
>   chain as the parameter
> * Optionally, check the validity of the certificate chain
> * Call getPrincipal() on the subject name and return that.
> Thus, to properly authenticate, you must ensure that there is a
> username in your Realm that matches the subject name.  It's not good
> enough to have a valid certificate chain - it must be a also user that
> *you* accept.

There seem to be no Realm implementations that will perform the last
function, i.e. validate the subject name via getPrincipal().

Currently, certs authentication fails because getPrincipal() always
returns null, then somehow the BASIC auth window appears in the
browser.  Following that, the 

  Header authorization = Basic xxxxxx

is returned and the certs authenticate is called again which fails

What's causing that?  I can't see from the code how basic auth gets set.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message