Re: [OT] photo album software for web site
epyonne wrote: and the other one is to display pictures as thumbnails (clickable for full size). They must be able to run on UNIX server and do not require any database. At least for the thumbnail/clickable-full-size you could have a look at http://jalbum.net/ Uses jsp-like templates and create static pages which takes no resource at runtime. Maybe a template for slideshow-like presentation is also available. --- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[OT] encoding differences between 1.4.1 and 1.4.2?
Hi! I must have missed something. Given scenario: A linux system running with ISO encoding. Java and Tomcat configured to use UTF-8 anyway (-Dfile.encoding=UTF-8, etc) Works like a charm with Java 1.4.1_03 But if I change only the JDK to java 1.4.2_08 it wont work anymore - means it reads my UTF-8 files correctly but the transferred HTML-Pages are encoded in ISO-8859-1. Content-Type is correctly set to UTF-8. Notice, I just installed a new JDK. I can switch between them and it works/works not/works/works not. Any clue? It looks like as if the socket do some magic charset conversion since 1.4.2? Is there another JVM parameter for 1.4.2? Ciao, Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] encoding differences between 1.4.1 and 1.4.2?
Mark Thomas wrote: The JVM parameter file.encoding is only intended to be read only. Some platforms/JVM versions let you change it but not all. Thanks! With this backround I googled around and found java might check the environment variable LC_CTYPE (on linux), I will try this with 1.4.2. What a shame, I should have known it. Ciao, Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat does not like cmdline args of wget?
Holger Klawitter wrote: There is one indeed interesting difference, both requests end up with a different (each one is reproducable) auth string: Sorry, didnt follow the conversion and thus it might be complete wrong what comes into my mind, but: Do you have some special character in your password - say: $ (which might be replaced by the shell), ! (also) or german umlauts and your system do not use the same encoding - say it uses ISO-8859-1 but your password is stored in an UTF-8 environmen. --- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Logging Server Responses
And - I think - partially the time taken to send back the response. Its the time for Servlet.service(...) to be processed. [Which includes any middleware/application server and database processings] Is the time recorded (using %D) includes time taken for middleware/application server and database processings? --- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat and SuSE 9.3...
Nikola Milutinovic wrote: You could try JPackage, but be prepared for dependency nightmare. But SuSE 9.3 uses JPackage, am I wrong? I managed to setup the SuSE 9.3 tomcatjava but there where a couple of missing libraries. And a missing link to correctly startup java at all. In fact SuSE installed them, but tomcat was not able to find them. I resolved it by placing some symbolic links, though, I cant recall exactly where and what. Sorry that I cant help more! --- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: CLIENT-CERT
Raphael Gallo wrote: It´s possible use FORM authentication and CLIENT-CERT in the same application. How can I do this ? Not sure if it works with FORM but I have done this with BASIC (through https). If the CLIENT-CERT fails the system will fallback to BASIC. I have done this by fiddling my own SSLAuthenticator (called SSLAuthenticatorOptional) into Tomcat. The main changes in short: private BasicAuthenticator secondAuth = new BasicAuthenticator(); // Authenticate the specified certificate chain principal = context.getRealm().authenticate(certs); if (principal == null) { if (debug = 1) { log( Realm.authenticate() returned false); } return secondAuth.authenticate(request, response, config); // hres.sendError(HttpServletResponse.SC_UNAUTHORIZED, //sm.getString(authenticator.unauthorized)); // return (false); } To put the SSLAuthenticatorOptional into Tomcat I have had to change the Authenticators.properties - which could done by this ant task target name=config-tomcat description=Tomcat configuration unjar src=${tomcat-server}/lib/catalina.jar dest=${tomcat-server}/classes patternset includes=org/apache/catalina/startup/Authenticators.properties/ /unjar replaceregexp file=${tomcat-server}/classes/org/apache/catalina/startup/Authenticators.properties byline=true match=CLIENT-CERT=org.apache.catalina.authenticator.SSLAuthenticator replace=CLIENT-CERT=tomcat.SSLAuthenticatorOptional/ /target --- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: The Logger Component
ariel wrote: 2) Is it possible to limit the amount of rolled logged files as it can be done in the log4j ? I am not sure, if there is already an implementation available, nor if tomcat provides one. But some time ago i have written a simple class which is able to act as replacement for the tomcat loggers and a bridge to commons-logging - and from there to log4j. (phu, what a long way for a log-message ;-)) -- Mario --cut-- package the.package.you.like; import org.apache.catalina.logger.LoggerBase; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; public class Logger extends LoggerBase { private final static Log log = LogFactory.getLog(Tomcat); public void log(Exception ex, String message) { log.fatal(message, ex); } public void log(String message, Throwable throwable) { log.fatal(message, throwable); } public void log(String message, int level) { log(message, null, level); } public void log(String message, Throwable throwable, int level) { if (this.verbosity verbosity) { return; } if (level == FATAL) { log.fatal(message, throwable); } else if (level == ERROR) { log.error(message, throwable); } else if (level == WARNING) { log.warn(message, throwable); } else if (level == INFORMATION) { log.info(message, throwable); } else if (level == DEBUG) { log.debug(message, throwable); } else { log.info(message, throwable); } } public void log(String message) { log.info(message); } } --cut-- smime.p7s Description: S/MIME Cryptographic Signature
Re: No session in tomcat 5.0.24
Rob Tillie wrote: Last night we updated our tomcat server from 5.0.16 to 5.0.24. Suddenly, the web applications don't keep the same session between requests, hereby rendering parts of our applications useless. I have experienced a simmilar problem - it looks like the session was lost between the requests - in fact the problem was, that tomcat sets two cookies (for the root context and the application context) and it seems like it could not correctly handle thre response if those two cookies are sent back and starts a new session. I solved this for now by adding the following line to the the host element Context path= docBase=ROOT debug=0 cookies=false/ the magic is to set the cookies=false on the root context. So the application context (/opsjs in our case) is the only which uses cookies. I have seen this with Internet-Explorer and Mozilla - so it might be a tomcat problem?? Not sure - wanted to figured it out a bit more, but thought it might help you and so come out with this now. -- Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Can I chain authenticators?
Why would you chain authenticators? Well, i have chained SSL and BASIC authenticators. I the users have some well known certificate installed (checked agains LDAP) they do not have to enter some user/password, else a BASIC authenticator (via https) is presented. So it is possible to use the application from within the company or at home without login, if the user needs access to the application from some internet-cafe a login screen will be presented. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: [OT] Mozilla/Firebird and Session Cookie Problem (Mozilla-BUG)
Hello ! This whole question about sharing the session cookies or not when you open a new window seems a bit unnecessary to me. I often want to test using two users and not share the cookies, but I just open a different browser, e.g. if I'm using Mozilla, I open IE or Netscape4 or Firebird or Opera. So there's up to five seperate sessions you can have without even having to think about it. I think it is worth the discussion. I am a Web-Application developer and our users loves it to login to our application multiple times. I do not want to 1) Create a profile for each instance 2) Install multiple browsers Both is hard in support. On the other hand, we have implemented different applications, where every application has its own login. Having the same session-cookie, login is 1) not possible, since there is another application already active with this session or 2) destroys the session values of the first application However, session-cookie handling like IE should be IMHO possible with Mozilla at all. If you press Ctrl-N in IE you use the same session-cookie (even if i do not like this behaviour, i can live with). At least, if i start IE again (via Icon on Desktop) a new session cookie will be retrieved. This is what Mozilla should do too. Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: [OT] Mozilla/Firebird and Session Cookie Problem (Mozilla-BUG)
Adam Hardy wrote: Are you sure about that? Without checking, I think that the jsessionid cookie would be stored under the directory http://www.mydomain.com/myapp1/ and the next app on the same server should have it at http://www.mydomain.com/myapp2/ Well, this might be, but our application was developed in an pre-tomcat time, and during porting to tomcat, we have decided to use only one WEB-APP. The pro is, we have to deploy only one jar and all applications are up-to-date, and only one web.xml has to be maintained. The con is, the above suggestion wont work for us. As far as the discussion goes, I appreciate where you are coming from, but as someone already mentioned on that thread, how can somebody tell which window is which login when they use IE to have multiple logins? It must be particular to your application, I suppose. If i start Excel two times, i also have to know which excel is what sheet. I think this is something which a user, who uses this feature, is familiar with. And mostley then, the are in different sections of the application, or, the would like to compare some settings, and switch betweend these windows. Maybe i miss something, but every web-app, that stores some state informations in their session do have problems with multiple logins and mozilla, problems which are not known with IE. Currently the only solution i have found, is to use url-rewriting, then the behavior is as expected. And well then, why should the behaviour between url-rewriting and session-cookie be different? IMHO At least, this should be configureable. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: [OT] Mozilla/Firebird and Session Cookie Problem (Mozilla-BUG)
Just for the records: Someone on mozillazine told me, this is an open bug/enhancement http://bugzilla.mozilla.org/show_bug.cgi?id=117222 Maybe we should vote on it. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
[OT] Mozilla/Firebird and Session Cookie Problem
Hello ! For sure, not the right mailinglist, but maybe someone has experienced the same: If i use Firebird 0.7 (Windows) to connect to our Tomcat 4.1.24 Server, a new session cookie is retrieved. So long, this is correct But if i start a second instance of Firebird (not tabbed !!!), the _SAME_ session cookie (got from the first firebird instance) is sent to the server, so there is no new session created. With this behaviour, it is not possible to use more than one instance of Firebird to work with our web-application, due to the session values, which will be shared then. Any hints? Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: [OT] Mozilla/Firebird and Session Cookie Problem
Ben Souther wrote: I'm not that familiar with Firebird, but I know that Mozilla allows you to create different profiles, each having it's own space for storing cookies. Have you tried running two instances with different profiles? I havent found profiles in firebird, but i am pretty sure, that this might work, however, i dont want to switch the profile. There has to be another way. Thanks! Mario smime.p7s Description: S/MIME Cryptographic Signature
JNDIRealm with UserMapping (was: Trust Store and Credentials)
Bill Barker wrote: Speaking only for myself, it is because of the dependencies on sun.** classes (so it won't work with e.g. IBM's JVM). Otherwise the patch looks Ok. I just haven't had enough spare cycles to work out how to remove the Sun dependancies. Ah, yes i see, but this is true for the JNDIRealmCertAD (which is for Windows-ActiveDirectory) only. I think we could left this out, since there might be better solutions (JAAS) for this environment. JNDIRealmCertOpenExchange do not rely on sun.* and threrefore could be a candidate for adding. Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: Trust Store and Credentials
Bill Barker wrote: Only MemoryRealm (of the Tomcat-supplied Realms) supports CLIENT-CERT. The user name in tomcat-users.xml is the DN (aka Subject), and the password is ignored. I believe that there are patches floating around Bugzilla for JDBCRealm and JNDIRealm as well. If you need anything more advanced, you will probably have to roll your own Realm. Here it is for JNDIRealm http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Why might no one add this to tomcat?? Ciao, Mario smime.p7s Description: S/MIME Cryptographic Signature
Re: Single Login Authentication with Tomcat
There are two solutions: 1. Use JNDI realm to talk to Active Directory. 2. Collect credentials yourself and use native code to call the WinAPI function LogonUser. I have written a centralized authentication service. One of the modules that I created to authenticate users against a Windows domain uses method 2 above. I have used a modification of method 1. Modified JNDIrealm and user certificates. Thus, it is possible to also allow passwordless login for homeworker. Maybe you might take a look at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. For the source and additional infos. Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Certificate Athentication + Authorization to services
What I can't find, is how to get the User-Identity from the Certificate in the Browser that establishes a connection??? I would need the Distinguished name of the Client-certificate in a session-parameter. Which further on would direct what authorities corresponding user has in Server-system. You could use a realm which already does this by using an LDAP Server. See attachements from http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Or build your own realm based on this example. However, i recommend you to use a realm, so you could use all the tomcat authentication and security stuff. Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring SSL and LDAP authentication for Apache 1.3 and Tomcat 4.1
Maybe you could find informations here http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831. There you could find my working solution, but i use only a standalone tomcat installation. Dont know much about Apache integration. Currently this is not a plug and play solution. Mario - Original Message - From: Chuck Ruffing [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Monday, June 23, 2003 6:59 PM Subject: Configuring SSL and LDAP authentication for Apache 1.3 and Tomcat 4.1 Hi, I have Apache 1.3, Tomcat 4.1, and mod_jk installed and working together. I was able to configure Apache to use SSL. Now, I am required to check the client certificate that Apache receives against an LDAP directory on a different server to authenticate the user. Could somebody please help me with this? I have read about JNDIRealm, but I'm unsure as to how everything fits together. Thanks. - Do you Yahoo!? SBC Yahoo! DSL - Now only $29.95 per month! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to use digital certificates
I think, it is not a good idea to use the subject of the certificate as username. 1) You could not mix form or basic authentication with certificate authentication. You have to implement a certificate to user mapping within your application 2) A certificate can change This is what my JNDIRealm* Classes try to archive. It makes no difference if one uses certificates or any other authentication, the username is always the same. The mapping to the real username is done during authentication, transparently to the application. Mario - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 21, 2003 9:01 AM Subject: Re: How to use digital certificates Assuming that iPlanet is sending a normal x509 chain, then it should be mostly working. You'll have to make certain that the root-CA is installed in cacerts (I'm assuming that you are using JSSE) so that the client-cert can be verified. At least with the Sun JVM, I believe that only Verisign and Thwate are installed by default. Getting the name is a bit more of a problem. It is usually the CN of the Subject, but not always. If this is the case with your certs, then you'll need a custom Realm that extracts the CN and validates the user (MemoryRealm uses the full Subject as the user-name). appa rao [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Thanks for the reply.. let me clearly tell you the problem.. we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. Thanks Appa Bill Barker [EMAIL PROTECTED] wrote: Ok, everyone else is signing their replies. I can do that too ;-). Out-of-the-box, TC 4.1.24 has very limited support for x509 auth. Only the (deprecated) MemoryRealm actually supports it. Also, only the Stand-Alone JSSE Connector will correctly retrieve the x509 certs in the current release version (the Jk-Coyote Connector is fixed in the CVS, and the fixes for the Stand-Alone PureTLS Connector will show up before 4.1.25 comes out). Mario Ivankovits wrote in message news:[EMAIL PROTECTED] I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao To: Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. ATTACHMENT part 2 application/x-pkcs7-signature name=smime.p7s SMS using the Yahoo! Messenger;Download latest version. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to use digital certificates
I have developed a solution, where you can use client-certificates for user authentication. You can find information at http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 Currently an implementation for Standard LDAP and Windows-2000 ActiveDirectory is available. Using W2K-AD you might have troubles, since i have tested it only with two different client-certificates. Mainly you have to import the certificate in your LDAP Server, and then the user-mapping is done by my JNDIRealm* classes. Mario - Original Message - From: appa rao [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Friday, June 20, 2003 7:33 AM Subject: How to use digital certificates Hi, Can any one give me an example of how to use Digital Certificates for authentication and authorizatioin in Tomcat? I am struggling to under the concept of certificates and their use in authentication and authorization.. I am using Tomcat - 4.1.24. Thanks in advance.. appa SMS using the Yahoo! Messenger;Download latest version. smime.p7s Description: S/MIME cryptographic signature
Re: How to use digital certificates
we use certificates generated by iPlanet Certificate Server. All the client(user) certificates are on a swipe card which are read by Gemplus card reader using USB port The problem is when the user swipes it, user should automatically be authenticated..(currently we have another web application running on iPlanet web server - which picks up username from the card and authenticates against LDAP). Is this possible in Tomcat? SSL is working fine - only problem is authentication.. I do not know the iPlanet Certificate Server, we use the LDAP Server (openldap) from SuSE OpenExchange. *) The Browser sends the user-certificate to tomcat (standalone installation !!). I do not know, what you mean by the web-application pick the username, i think such an web-application can only get the certificate. *) JNDIRealmCertOpenExchange tries to lookup a user with this certificate *) If a user is found, the username of this ldap-entry is used for the resulting principal I am not aware of the protocol iPlanet uses, if it is standard LDAP you might have luck, else you have to write your own realm. Mario - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
It works! Thank you - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL client authentication with tomcat 4.1.24
You have to import the root CA into the java cacerts keystore Assuming a windows-java installation in C:\j2sdk the location is: C:\j2sdk\jre\lib\security\cacerts using cd C:\j2sdk\jre\lib\security keytool -import -keystore cacerts -storepass changeit -file the-root-ca.cer did the job for me. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Tuesday, June 10, 2003 9:24 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I'm still having trouble with my setup. These are my keystore entries: Tipo keystore: jks Provider keystore: SUN Il keystore contiene 3 entry scai, 10-giu-2003, keyEntry, Impronta digitale certificato (MD5): D5:FC:34:5E:12:03:CD:29:84:18:C9:4C:33:07:6C:5D _dgripbmo, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): F5:ED:E9:B2:D9:71:F9:B6:6F:E9:39:27:4D:0A:A4:F7 dumarolando, 10-giu-2003, trustedCertEntry, Impronta digitale certificato (MD5): E6:8D:22:29:5C:33:20:52:10:75:6A:8E:5D:03:4C:B3 The second item is the CA certificate that signs my personal certificate, the last is my personal certificate present also in my IE Personal certificates tab.If nothing is missing and the browser still pops up an empty personal certificate list, maybe there is a problem with the cryptographic providers or with the encription algorithms used? As a note my personal certificate is stored on a Gemplus smartcard connected with a USB reader all works fine if I connect to an Apache server with mod_ssl. - Original Message - From: Bill Barker [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Saturday, June 07, 2003 5:33 AM Subject: Re: SSL client authentication with tomcat 4.1.24 I believe that the Sun 1.4 JVM ships with the certs for Verisign and Thawte (to verify this, search the java.sun.com site). To allow OpenExchange signed certs, you need to get the signing cert (not hard), and import it into cacerts. Mario Ivankovits [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED
REPOST: CLIENT-CERT and JNDIRealm
Hello ! http://nagoya.apache.org/bugzilla/show_bug.cgi?id=7831 I think, a common solution should be found for this, so i try again to push a discussion: Questions: *) Are there some standards how to map an certificate to an user within an ldap-server *) If not, could/should we implement some of my code directly in an class (say) JNDIRealmCert, and one could simply override an abstract certToUser method. I have tried to use CLIENT-CERT to authenticate the user for our application. JNDIRealm do not support such authentication, so i have tried to implement it. For our infrastructure my solution works well, but i think (know) it is strongly bound to it. The way it works is to get a certificate for an user, and import this certificate to the ActiveDirectory Server. During authentication a user with the matching certificate is searched, and the cn for this user is used furthermore (getRoles() ...) First, I have created a new class JNDIRealmCertAD (JNDIRealm Certificate ActiveDirectory) and introduced a new property certSearch. (I also have copied the *Pattern getter/setter for use with certificate, but havent tested it yet) Much of the code from JNDIRealm has to be copied, due to the private User class, however, this class is a prototype. The advantage (i think) of my solution is, that it does not use the Cert.getSubjectDN() for the username, instead it is using the cn (or any other attribute) for the ldap entry returned when searching the corresponding user for the certificate. With my class it is possible to use BASIC and CLIENT-CERT and always do have the same username for the application. I think the application should not be bothered with the type of authentication. However, currently this solution is bound to our Win2000-Domain. Comments are welcome !! Ciao, Mario
Re: SSL client authentication with tomcat 4.1.24
For me, it looks like some certificates cant be read by tomcat/ssl. So, my Thawte FreeMail Member certificate works, but the certificate generated by SuSE OpenExchange wont work. I havent figured out what the difference could be for now. Mario - Original Message - From: Duma Rolando [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Friday, June 06, 2003 1:40 PM Subject: Re: SSL client authentication with tomcat 4.1.24 I have already imported my certificate.This is correctly showed if I connect to an apache + mod-ssl server with SSLVerifyClient require directive, so I think the problem belongs to Tomcat SSL implementation or its configuration. That's why I'm looking for people with positive experience on this kind of setup. - Original Message - From: Bodycombe, Andrew [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Friday, June 06, 2003 12:58 PM Subject: RE: SSL client authentication with tomcat 4.1.24 You need to import your personal certificate into your browser. In IE: Select 'Internet Options' from the Tools Menu Select the Content tab Press the certificates button This takes you to the screen showing all your certificates Select the 'Personal' tab Press Import to import your certificate Andy -Original Message- From: Duma Rolando [mailto:[EMAIL PROTECTED] Sent: 06 June 2003 11:31 To: Tomcat Mailing List Subject: SSL client authentication with tomcat 4.1.24 Is there anyone that have a running tomcat 4.1.24 standalone server with SSL and clientAuth=true? My current config doesn't work ( i.e. Internet Explorer doesn't display my personal certificate, Mozilla displays an error message ).I tried with only one SSL connector on port 443 and with also an http connector on port 80 without success.I would like to know if I'm wasting time or there are success stories about this in this community. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]