hi this is Tomcat 9.0 running embedded I am trying to authorize access by client certificate. I want the servlet response to be tailored to the user's role. In other words I am not looking to deny access by role.
The connector has sslCon.setProperty("clientAuth", "required"); The context has a config file set serverAppContext.setConfigFile(contextURL); The config file contains <?xml version="1.0" encoding="UTF-8"?> <Context> <Realm className="org.apache.catalina.realm.MemoryRealm" debug="9" pathname="/var/CartS3Server/cartapp/users.xml"/> </Context> users.xml contains <?xml version='1.0' encoding='utf-8'?> <tomcat-users> <role rolename="cart-admin"/> <role rolename="cart-user"/> <user username="CN=TTSDB1,OU=CART,O=CART" password="" roles="cart-user"/> <user username="CN=TTSDB2,OU=CART,O=CART" password="" roles="cart-admin"/> </tomcat-users> Certificates are imported into the browser and the browser prompts for cert selection. There are no security constraints on the apps web.xml. In the servlet there is a test of httpReq.isUserInRole("cart-admin"). This always fails. Also a req.getUserPrincipal() call always returns null. The request does not seem to be authenticated. Further in the servlet a X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate") correctly returns both the certificate from the browser plus the Cert Auth. A getSubjectX500Principal().getName() call on the browser certificate returns the cn/o/ou setting that should match with users.xml. What am I missing here? Dave Breeze Linkedin:https://uk.linkedin.com/in/dabreeze --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org