un subscribe me...................

Fri, 12 Jan 2001 12:44:40 -0800

 
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Friday, January 12, 2001 9:20 PM
To: [EMAIL PROTECTED]
Subject: possible problem with CLIENT-CERT login and security constraint on TOMCAT 4.0


Hi,

I try to configure TOMCAT server to authenticate client with certificate on HTTPS protocol.

My connector is configure to accept request on 8443 port like this :
    <Connector className="org.apache.catalina.connector.http.HttpConnector"
               port="8443" minProcessors="5" maxProcessors="75"
               acceptCount="10" debug="0" scheme="https" secure="true">
      <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
               clientAuth="true" protocol="TLS" keystorePass="password1"/>
    </Connector>

My tomcat-user.xml file is configured with a new entry that match the getSubjectDN().getName() of client certificat used :
<tomcat-users>
  <user name="tomcat" password="tomcat" roles="tomcat" />
  <user name="role1"  password="tomcat" roles="role1"  />
  <user name="both"   password="tomcat" roles="tomcat,role1" />
  <user name="OID.0.9.2342.19200300.100.1.1=mvittel, CN=michel vittel, O=frec.bull.fr" password="tomcat" roles="tomcat,role1" />
</tomcat-users>

I also uncomment the security constraint on my web.xml file like this
  <security-constraint>
    <web-resource-collection>
      <web-resource-name>The Entire Web Application</web-resource-name>
      <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
      <role-name>tomcat</role-name>
    </auth-constraint>
  </security-constraint>

  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>Tomcat Supported Realm</realm-name>
  </login-config>

  <security-role>
    <description>
      An example role defined in "conf/tomcat-users.xml"
    </description>
    <role-name>tomcat</role-name>
  </security-role>

My problem is when I try to connect on my tomcat serveur  I have always the same message :
HTTP Error 403 - Forbidden

Possibly reasons :
I try to compare BASIC authenticator  and CLIENT-CERT authenticator.
    * BasicAuthenticator class register an MemoryRealmPrincipal object return by the MemoryRealm class
    * SSLAuthenticator class register an Principal object with  is simply return by certs[0].getSubjectDN() method (and has no role associated)

When I modified a little bit the SSLAuthenticator class to find on the MemoryRealm the MemoryRealmPrincipal
associated with the username = certs[0].getSubjectDN().getName()  ( with no password) that seems run better...

Excuse me, if it's a know limitation, a bug already know or a bad settings ...


Jérôme

Reply via email to