Return-Path: Delivered-To: apmail-jakarta-tomcat-dev-archive@apache.org Received: (qmail 78157 invoked from network); 6 Nov 2001 07:24:11 -0000 Received: from unknown (HELO osaka.betaversion.org) (192.18.49.133) by daedalus.apache.org with SMTP; 6 Nov 2001 07:24:11 -0000 Received: (qmail 1130 invoked from network); 6 Nov 2001 07:26:43 -0000 Received: from nagoya.betaversion.org (192.18.49.131) by osaka.betaversion.org with SMTP; 6 Nov 2001 07:26:43 -0000 Received: (qmail 11684 invoked by uid 97); 6 Nov 2001 07:24:12 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-dev@jakarta.apache.org Received: (qmail 11623 invoked by uid 97); 6 Nov 2001 07:24:11 -0000 Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Developers List" Reply-To: "Tomcat Developers List" Delivered-To: mailing list tomcat-dev@jakarta.apache.org Received: (qmail 11612 invoked from network); 6 Nov 2001 07:24:11 -0000 Message-ID: <3BE78F86.4DCE1C39@teamware.com> Date: Tue, 06 Nov 2001 09:21:42 +0200 From: Antony Bowesman X-Mailer: Mozilla 4.78 [en] (WinNT; U) X-Accept-Language: en,fi MIME-Version: 1.0 To: Tomcat Developers List Subject: Re: Client certificates Tomcat 4 References: <20011105083025.T2147-100000@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N "Craig R. McClanahan" wrote: > > Tomcat does the following processing for CLIENT-CERT authentication: > * Challenge the client for a certificate chain if necessary > * Call the Realm.authenticate() method that takes a certificate > chain as the parameter > * Optionally, check the validity of the certificate chain > * Call getPrincipal() on the subject name and return that. > > Thus, to properly authenticate, you must ensure that there is a > username in your Realm that matches the subject name. It's not good > enough to have a valid certificate chain - it must be a also user that > *you* accept. There seem to be no Realm implementations that will perform the last function, i.e. validate the subject name via getPrincipal(). Currently, certs authentication fails because getPrincipal() always returns null, then somehow the BASIC auth window appears in the browser. Following that, the Header authorization = Basic xxxxxx is returned and the certs authenticate is called again which fails again. What's causing that? I can't see from the code how basic auth gets set. Rgds Antony -- To unsubscribe, e-mail: For additional commands, e-mail: