tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Graham Leggett <minf...@sharp.fm>
Subject Switching basic auth to client-cert with realms - how?
Date Fri, 13 Mar 2015 19:39:00 GMT
Hi all,

I have a basic authentication setup that works great as below.

	<login-config>
		<auth-method>BASIC</auth-method>
		<realm-name>Patricia</realm-name>
	</login-config>

	<!-- Security roles referenced by this web application -->
	<security-role>
		<role-name>administrator</role-name>
	</security-role>
	<security-role>
		<role-name>underwriter</role-name>
	</security-role>
	<security-role>
		<role-name>accountant</role-name>
	</security-role>
	<security-role>
		<role-name>broker</role-name>
	</security-role>
	<security-role>
		<role-name>feeds</role-name>
	</security-role>

It is backed up with a realm like this:

          <Realm className=“org.apache.catalina.realm.DataSourceRealm"
                 [snip]
                 userTable="person" userNameCol="mail"
                 userCredCol="user_password"
                 userRoleTable="company_person" roleNameCol="serial" />

I need to switch basic authentication to client certificates, as provided by Apache httpd
and proxied in with AJP. The username is provided by Apache httpd in REMOTE_USER.

In theory, changing the auth-method to CLIENT-CERT should do the trick, but I just get forbidden.

What doesn’t seem to fit is the realm definition - specifying userCredCol is marked as mandatory,
but this is obviously not present with a client certificate. What do you specify in this field?

Does anyone have a working example of authentication using client certificates and authorization
using a realm backed with a DataSource?

Regards,
Graham
—


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message