tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Neven Cvetkovic <neven.cvetko...@gmail.com>
Subject Re: Switching basic auth to client-cert with realms - how?
Date Fri, 13 Mar 2015 20:19:34 GMT
Graham,

On Fri, Mar 13, 2015 at 3:39 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> Hi all,
>
> I have a basic authentication setup that works great as below.
>
>         <login-config>
>                 <auth-method>BASIC</auth-method>
>                 <realm-name>Patricia</realm-name>
>         </login-config>
>
>         <!-- Security roles referenced by this web application -->
>         <security-role>
>                 <role-name>administrator</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>underwriter</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>accountant</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>broker</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>feeds</role-name>
>         </security-role>
>
> It is backed up with a realm like this:
>
>           <Realm className=“org.apache.catalina.realm.DataSourceRealm"
>                  [snip]
>                  userTable="person" userNameCol="mail"
>                  userCredCol="user_password"
>                  userRoleTable="company_person" roleNameCol="serial" />
>
> I need to switch basic authentication to client certificates, as provided
> by Apache httpd and proxied in with AJP. The username is provided by Apache
> httpd in REMOTE_USER.
>
> In theory, changing the auth-method to CLIENT-CERT should do the trick,
> but I just get forbidden.
>
> What doesn’t seem to fit is the realm definition - specifying userCredCol
> is marked as mandatory, but this is obviously not present with a client
> certificate. What do you specify in this field?
>
> Does anyone have a working example of authentication using client
> certificates and authorization using a realm backed with a DataSource?
>

Here's a nice article, detailing how to add CLIENT-CERT:
http://java.dzone.com/articles/enabling-client-cert-based

It is based on MemoryRealm, not DataSourceRealm, but the idea is similar.

Here's a summary:

1. You need to define user/pass/roles:

<role rolename="secureconn"/>
<user username="CN=client1, OU=Application Development, O=GoSmarter,
L=Bangalore, ST=KA, C=IN" password="null"  roles="secureconn"/>

2. You define in web.xml the login type:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Demo App</realm-name>
</login-config>

You would get a 403 if an invalid certificate is sent based on the security
constraints you set earlier.

Ultimately, you need to turn on extra logging on that realm so you would
know why the 403s were generated.

Try doing some online searching for the type of errors you got. Here's what
pops up in my quick google search:
http://stackoverflow.com/questions/5086457/setting-up-client-cert-authentication-with-roles-on-tomcat-6-0

This person had an issue how CNs were handled, and as a result extra
inserted spaces between commas, e.g.
(1) no spaces: "CN=testuser,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU"
(2) with spaces: "CN=testuser, O=Internet Widgits Pty Ltd, ST=Some-State,
C=AU"

The issue was how X509Principal.getName() call returned:
X500Principal.RFC2253
X500Principal.RFC1779

Let us know what you find by turning on extra logging.

Cheers!
Neven

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message