Return-Path: 
 <users-return-252336-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 5CB6A172B7
	for <apmail-tomcat-users-archive@www.apache.org>;
 Fri, 13 Mar 2015 20:21:22 +0000 (UTC)
Received: (qmail 64271 invoked by uid 500); 13 Mar 2015 20:21:15 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 64200 invoked by uid 500); 13 Mar 2015 20:21:14 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 64189 invoked by uid 99); 13 Mar 2015 20:21:14 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Mar 2015 20:21:14 +0000
X-ASF-Spam-Status: No, hits=1.5 required=5.0
	tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS
X-Spam-Check-By: apache.org
Received-SPF: pass (athena.apache.org: domain of neven.cvetkovic@gmail.com
 designates 209.85.223.174 as permitted sender)
Received: from [209.85.223.174] (HELO mail-ie0-f174.google.com)
 (209.85.223.174)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 13 Mar 2015 20:21:10 +0000
Received: by iegc3 with SMTP id c3so127803108ieg.3
        for <users@tomcat.apache.org>; Fri, 13 Mar 2015 13:20:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20120113;
        h=mime-version:in-reply-to:references:from:date:message-id:subject:to
         :content-type;
        bh=cX/dDvEN6uuHBYsffVply5UgU3/JBsO1IbQ87qK93kw=;
        b=WIko9yk529Jyr1wVRF+kvy05+3z3zaIEKwyCBZKqU9QSVIF+LeHDHi2meBWSPHbLGS
         SaeNB6yyhVkOXZlnvZzoQ6+51qcBjvgP2/UOTSyDUylaNY+KW9VLRd2VwkKGKqy2zJc2
         mE2CSWvI4ZYjMihE/1JwhsLflAOA2qAJuB8EPzTv3PWIWHGRniozSJiIt4wmyjiF+x0a
         c4to2bgrcy9qmJXeGhOLr2K3rokiTEw2IcK1sU3kZTfVmEj7oNjEFMheIvCeR/6/A5/u
         RejHWumJrrQ7mAeZl0O+rOADdH/OBxb56Fkm/dVcH0mlTsJ/Npexs2EiSVAGbEENiGPu
         Nv5Q==
X-Received: by 10.50.234.194 with SMTP id ug2mr114857820igc.39.1426277994901;
 Fri, 13 Mar 2015 13:19:54 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.64.176.207 with HTTP; Fri, 13 Mar 2015 13:19:34 -0700 (PDT)
In-Reply-To: <49D327BA-E4AD-48F4-ABE9-10BAFB43435B@sharp.fm>
References: <49D327BA-E4AD-48F4-ABE9-10BAFB43435B@sharp.fm>
From: Neven Cvetkovic <neven.cvetkovic@gmail.com>
Date: Fri, 13 Mar 2015 16:19:34 -0400
Message-ID: 
 <CAHjMPQzKis=6_sG_RZ1W08mjVyFnEtJZdMSkENbhuNS16XQybA@mail.gmail.com>
Subject: Re: Switching basic auth to client-cert with realms - how?
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=001a1134b5623cbe3a05113139a2
X-Virus-Checked: Checked by ClamAV on apache.org

--001a1134b5623cbe3a05113139a2
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Graham,

On Fri, Mar 13, 2015 at 3:39 PM, Graham Leggett <minfrin@sharp.fm> wrote:

> Hi all,
>
> I have a basic authentication setup that works great as below.
>
>         <login-config>
>                 <auth-method>BASIC</auth-method>
>                 <realm-name>Patricia</realm-name>
>         </login-config>
>
>         <!-- Security roles referenced by this web application -->
>         <security-role>
>                 <role-name>administrator</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>underwriter</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>accountant</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>broker</role-name>
>         </security-role>
>         <security-role>
>                 <role-name>feeds</role-name>
>         </security-role>
>
> It is backed up with a realm like this:
>
>           <Realm className=3D=E2=80=9Corg.apache.catalina.realm.DataSourc=
eRealm"
>                  [snip]
>                  userTable=3D"person" userNameCol=3D"mail"
>                  userCredCol=3D"user_password"
>                  userRoleTable=3D"company_person" roleNameCol=3D"serial" =
/>
>
> I need to switch basic authentication to client certificates, as provided
> by Apache httpd and proxied in with AJP. The username is provided by Apac=
he
> httpd in REMOTE_USER.
>
> In theory, changing the auth-method to CLIENT-CERT should do the trick,
> but I just get forbidden.
>
> What doesn=E2=80=99t seem to fit is the realm definition - specifying use=
rCredCol
> is marked as mandatory, but this is obviously not present with a client
> certificate. What do you specify in this field?
>
> Does anyone have a working example of authentication using client
> certificates and authorization using a realm backed with a DataSource?
>

Here's a nice article, detailing how to add CLIENT-CERT:
http://java.dzone.com/articles/enabling-client-cert-based

It is based on MemoryRealm, not DataSourceRealm, but the idea is similar.

Here's a summary:

1. You need to define user/pass/roles:

<role rolename=3D"secureconn"/>
<user username=3D"CN=3Dclient1, OU=3DApplication Development, O=3DGoSmarter=
,
L=3DBangalore, ST=3DKA, C=3DIN" password=3D"null"  roles=3D"secureconn"/>

2. You define in web.xml the login type:
<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Demo App</realm-name>
</login-config>

You would get a 403 if an invalid certificate is sent based on the security
constraints you set earlier.

Ultimately, you need to turn on extra logging on that realm so you would
know why the 403s were generated.

Try doing some online searching for the type of errors you got. Here's what
pops up in my quick google search:
http://stackoverflow.com/questions/5086457/setting-up-client-cert-authentic=
ation-with-roles-on-tomcat-6-0

This person had an issue how CNs were handled, and as a result extra
inserted spaces between commas, e.g.
(1) no spaces: "CN=3Dtestuser,O=3DInternet Widgits Pty Ltd,ST=3DSome-State,=
C=3DAU"
(2) with spaces: "CN=3Dtestuser, O=3DInternet Widgits Pty Ltd, ST=3DSome-St=
ate,
C=3DAU"

The issue was how X509Principal.getName() call returned:
X500Principal.RFC2253
X500Principal.RFC1779

Let us know what you find by turning on extra logging.

Cheers!
Neven

--001a1134b5623cbe3a05113139a2--