DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=7831 [EMAIL PROTECTED] changed: What|Removed |Added Attachment #6735 is|0 |1 obsolete|| -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://issues.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND· INSERTED IN THE BUG DATABASE. http://issues.apache.org/bugzilla/show_bug.cgi?id=7831 --- Additional Comments From [EMAIL PROTECTED] 2005-05-02 11:40 --- Created an attachment (id=14901) -- (http://issues.apache.org/bugzilla/attachment.cgi?id=14901action=view) Updated version for the two Realms Updated just to put my latest version here -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email --- You are receiving this mail because: --- You are the assignee for the bug, or are watching the assignee. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] ||m.com --- Additional Comments From [EMAIL PROTECTED] 2003-06-26 19:12 --- *** Bug 21115 has been marked as a duplicate of this bug. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
Hello, You are receiving this message in follow-up to a report received by the EarthLink Abuse Department. You may have submitted this report to a number of addresses including but not limited to [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED], or [EMAIL PROTECTED] Most reports of network abuse sent to this department fall into a few recognizable categories (spam, cracking, viruses, etc.). To increase efficiency, our filters scan incoming reports and attempt to determine the general type of issue being reported. We were not able to process your report because it does not appear to include the information needed for EarthLink Abuse to begin it's investigation. Evidence to Abuse should always include the IP address of the offending party and a valid timestamp, which includes time, date and timezone. To learn how to report spam so action is taken: http://spam.abuse.net/userhelp/howtocomplain.shtml To learn how to locate and interpret e-mail headers in your e-mail client: http://support.earthlink.net/support/TUTORIALS/email/mbx_interpret_headers.jsp Other useful lookup tools: http://samspade.org/ Once you have included the pertinent information needed, please resubmit your report, and include this autoresponse. Your report will then be reprocessed by our filters. However, you should expect to receive another auto-response after your resubmission is re-examined, but due to the large number of reports we receive, please understand that you may not receive a personal response. Our policies can be found at the following page: http://earthlink.net/about/policies/ Thanks, The EarthLink Abuse Staff DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] ||m.com --- Additional Comments From [EMAIL PROTECTED] 2003-06-26 19:12 --- *** Bug 21115 has been marked as a duplicate of this bug. *** - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-10 10:15 --- Created an attachment (id=6735) 2 JNDIRealms: one for LDAP userCertificate Attribute and another for Windows ActiveDirectory - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831
[PATCH] JNDIRealm does not work with CLIENT-CERT auth method
--- Additional Comments From [EMAIL PROTECTED] 2003-06-10 10:17 ---
Configuration Example für Attachment#3: LDAP userCertificate
Realm className=com.ops.webcontrol.tomcat.JNDIRealmCertOpenExchange
debug=99
connectionURL=ldap://smtp:389;
userBase=dc=company,dc=co,dc=at
certSearch=(userCertificate={0})
certUserName=uid
userSearch=(uid={0})
roleBase=dc=company,dc=co,dc=at
roleName=cn
roleSearch=(memberUid={1})
connectionName=uid=cyrus,dc=ops,dc=co,dc=at
connectionPassword=**
roleSubtree=true
userSubtree=true /
I think this Realms should now find there way into the tomcat distribution.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-10 10:18 --- Note for LDAP userCertificate: maybe you have to edit your slapd.conf to add codeindex userCertificate eq/code and modify the codecore.schema/code to allow userCertificate equality match by adding codeEQUALITY octetStringMatch/code to the attributetypedefinition. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-10 10:57 --- You are right about multiple certificates (I use only one so it does not matter) I can change this code, but no one seems to pick up this code :-) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-09 09:14 --- to @Mario Ivankovits: I think tha JDBCRealm should store DN on database (it can map DN via view if someone needs this). Looking into LDAP is good for JNDI realm. Marek Mosiewicz http://www.jotel.com.pl/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-09 16:56 --- I have overseen, that you talk about JDBCRealm, this bug depends on JNDIRealm. For sure, you have to store the DN in the database, but the resulting principal should contain the username as username and not the DN. A user might have multiple certificates, but it is always the same user. Or a user revoke his certificate an creates a new one, mabe this result in a new DN (other provider, new e-mail address, ...) If we do not solve this problem in the realm's we move such logik to the application. The results is a tomcate-user to application-user mapping, which (i think) should not be needet. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-05 12:57 --- @marek: I am not happy with this. I think a correct implementation should not use the Cert-Subject for the username. I have implemented my own JNDIRealm which tries to lookup a user with the certificate and uses the name found for the principal-object. So it makes no difference which certificate the user uses, or if you use BASIC Authentication with my JNDIRealm, for the application it is almost always the same user. The dark side of this solution is, that it depends on how the LDAP-Server saves certificates. My solution currently works with Windows Active Directory, however, it should be easy to adopt it. I have tried to discuss this on tomcat-dev (search CLIENT-CERT and JNDI), but no one has answered yet. I am looking forward to share my thoughts. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-06 07:07 --- Created an attachment (id=) Discussion base for a common solution on how to authenticate clients certificates - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831
[PATCH] JNDIRealm does not work with CLIENT-CERT auth method
--- Additional Comments From [EMAIL PROTECTED] 2003-06-06 07:09 ---
Realm Configuration for Attachment#2
Realm
className=com.ops.webcontrol.tomcat.JNDIRealmCertAD
debug=99
connectionURL=ldap://server:389;
userBase=CN=Users,dc=company,dc=hq
certSearch=(altSecurityIdentities={0})
certUserName=sAMAccountName
userSearch=(sAMAccountName={0})
userRoleName=member
roleBase=CN=Users,dc=company,dc=hq
roleName=cn
roleSearch=(member={0})
connectionName=CN=tomcat,CN=Users,DC=company,DC=hq
connectionPassword=***
roleSubtree=true
userSubtree=true /
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2003-06-06 10:14 --- For me it seems that this moule has no maitainer right now, so it is leaved as is and no is interested in this. Does aonybody knows who should we contact to put his changes to CVS. Acctually in contribution part of Jakarta it is said that you can make patch but no way who should I contact - leave this patch on bugzilla maybe someone will pick it up. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831
[PATCH] JNDIRealm does not work with CLIENT-CERT auth method
--- Additional Comments From [EMAIL PROTECTED] 2003-06-05 12:37 ---
CLIENT-CERT authentication is done via SSLAuthenticator class which
executes RealmBase.authenticate(X509Certifcate[] certs) method.
This method uses getPrincipal(String username) method to return principal for
given username. If this returs null SSLAutheticator denies to authenticate user.
For SSLAuthenticator it is only important to check if user exists in realm and
find roles becues AUTHENTICATION is done SSLAuthenticator (checking validity
od certificate)
This is my implementation for JDBCRealm.getPrincipal which works :
(If you want to consult this patch please mail me)
/**
* Return the Principal associated with the given user name.
* This method is used in RealmBase.authenticate(X509Certificate[] creds)
* which is then used in SSLAuthenticator to authenticate
* with client with CLIENT-CERT method
* Absence of this method (returning null) makes CLEINT-CERT authorization
* impossible.
*
* @author Marek Mosiewicz [EMAIL PROTECTED]
*/
protected Principal getPrincipal(String username) {
Connection dbConnection = null;
try {
// Ensure that we have an open database connection
dbConnection = open();
String dbCredentials = null;
PreparedStatement stmt = credentials(dbConnection, username);
ResultSet rs = stmt.executeQuery();
while (rs.next()) {
dbCredentials = rs.getString(1).trim();
}
rs.close();
if (dbCredentials == null) {
return (null);
}
// Accumulate the user's roles
ArrayList list = new ArrayList();
stmt = roles(dbConnection, username);
rs = stmt.executeQuery();
while (rs.next()) {
list.add(rs.getString(1).trim());
}
rs.close();
dbConnection.commit();
// Release the database connection we just used
release(dbConnection);
// Create and return a suitable Principal for this user
return (new GenericPrincipal(this, username, null, list));
} catch (SQLException e) {
// Log the problem for posterity
log(sm.getString(jdbcRealm.exception), e);
// Close the connection so that it gets reopened next time
if (dbConnection != null)
close(dbConnection);
// Return null principal
return (null);
}
}
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method [EMAIL PROTECTED] changed: What|Removed |Added CC||[EMAIL PROTECTED] --- Additional Comments From [EMAIL PROTECTED] 2002-09-06 15:27 --- *** Bug 12335 has been marked as a duplicate of this bug. *** -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method [EMAIL PROTECTED] changed: What|Removed |Added Status|UNCONFIRMED |NEW everconfirmed|0 |1 -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2002-04-08 12:10 --- Created an attachment (id=1499) JNDIRealm patch -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
DO NOT REPLY [Bug 7831] - [PATCH] JNDIRealm does not work with CLIENT-CERT auth method
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE. http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 [PATCH] JNDIRealm does not work with CLIENT-CERT auth method --- Additional Comments From [EMAIL PROTECTED] 2002-04-08 12:15 --- I think/hope the only contentious issue in the patch is: return (new GenericPrincipal(this, username, null , roles)) Javadoc for GenericPrincipal describes the password string as 'Credentials used to authenticate this user'. I set it to null rather than trying finding to it from the realm because this is not necessarily what the user may have provided for authentication, e.g the user didn't provide a password in the CLIENT-CERT case. This probably doesn't make much difference from trying to get it from the realm but I think it preserves the semantics better. Have I misunderstood? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
