Yes I understand what you said about CLIENT-CERT and I add a new entry in my tomcat-usr.xml file :
<tomcat-users>
<user name="tomcat" password="tomcat" roles="tomcat" />
<user name="role1" password="tomcat" roles="role1" />
<user name="both" password="tomcat" roles="tomcat,role1" />
<user name="OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" password="tomcat" roles="tomcat,role1" />
</tomcat-users>
Functions getSubjectDN().getName() return "OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" value for the
first certificate chain, so I consider this value is the new user name.
I have yet auth-method into CLIENT-CERT value and when I try to connect on my tomcat serveur I have the same message :
"You are not authorized to view this page"
My local_host_access.log file give me this information :
camilleri - OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr [21/Dec/2000:11:07:50 1000] "GET /examples/servlet/SnoopServlet HTTP/1.1" 200 4017
camilleri - OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr [21/Dec/2000:11:08:32 1000] "GET /examples/servlet/SnoopServlet HTTP/1.1" 403 -
So I try to cut attribut password on tomcat-users file because when I use a certificate I don't understand what I would say... but
with no success...
Is it possible that value "OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" as too complicate for a user name....
Thank you if you are a another good idea ?
Best Regards
Jérôme
Craig McClanahan écrit :
[EMAIL PROTECTED] wrote:
Hello,
I try to use the auth-method of web.xml to CLIENT-CERT value like it's precise on web.dtd
So the fragment of web.xml file
<!-- Default login configuration uses form-based authentication -->
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Example Form-Based Authentication Area</realm-name>
<form-login-config>
<form-login-page>/jsp/security/login/login.jsp</form-login-page>
<form-error-page>/jsp/security/login/error.jsp</form-error-page>
</form-login-config>
</login-config>
When I try to access on a url-pattern who is protect by a <security-constraint> with https on port 8443,
I always have the same response on the catalina server :
You are not authorized to view this page
When you use CLIENT-CERT login plus a security constraint, what you are asking Catalina to do is look up the authenticated client in its Realm (by default, the MemoryRealm that reads from $CATALINA_HOME/conf/tomcat-users.xml), to (a) make sure that the client is present in the Realm, and (b) look up the associated roles to verify against the security constraint.
The "username" that is looked up is the value returned by calling getSubjectDN().getName() on the first certificate in the certificate chain -- in other words, the principal name of the client that was authenticated by this certificate.
If all you want to do is make sure the client has a valid certificate, you don't need to use a security constraint at all -- just set the "clientAuth" property on the Connector to true, and no requests will be accepted without a certificate. On the other hand, if you want to use security constraints in addition, you will need to define the user (and associated roles) in your Realm, just as you would for any other login method.
Anybody know where do I find any information about this fonctionnality whas I bad used ?
Best regards
JérômeCraig McClanahan
