"Christopher Williams" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > My setup: > Windows XP Pro > JDK 1.4.1 > JWSDP 1.0 > > I'm hoping to get SSL client authentication working for web services. I set > up Tomcat for SSL ages ago and it works fine. However, I run into multiple > problems when I attempt to use SSL client authentication. > > I have enabled client authentication by changing the value of "clientAuth" > in server.xml to true. I removed all <security-constraint> and > <login-config> entries from my web.xml as they didn't appear to have any > effect (question: am I right to do so? I've done my research on the web and > there are no consistent instructions for what to do). >
Tomcat currently has only very light support for this, but this is orthogonal to your current problem. > When I access https://localhost:8443/ in Internet Explorer, I get notified > that a private key is being used and the server home page displays fine. > However, when I first access the page, the following stack trace appears on > Tomcat's console: > > PoolTcpEndpoint: Handshake failed > javax.net.ssl.SSLHandshakeException: Remote host closed connection > during handshake > ... > Caused by: java.io.EOFException: SSL peer shut down incorrectly > at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) > ... 7 more > ThreadPool: Caught exception executing > [EMAIL PROTECTED], terminating thread > java.lang.NullPointerException > at > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512) > ... > > Does anybody know what the problem is here? Tomcat obviously doesn't like your client-cert, or (more likely) you don't have any. By default, only Verisign & Thwate signed client certs are recoginized (at least with Sun's JVM). If this is your problem, then you need to set up a TrustStore (or import the signer into cacerts). Searching the archives for 'TrustStore' will give you an answer faster than waiting on me. > > The second thing is, I want to know who's accessing pages and web services. > That's the whole point of authentication, right? However, when SSL client > authentication is in force, the following calls all return null: > > request.getUserPrincipal() > request.getRemoteUser() > request.getAttribute("javax.servlet.request.X509Certificate") > request.getAttribute("org.apache.coyote.request.X509Certificate") > > This seems most bizarre. At some point these calls must return non-null > values as they are used in > org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know > whether there are any server settings to make these calls return the correct > values? > > Ideally, I would like to have just one or two URL-patterns protected by SSL, > like you do with HTTP authentication rather than it being all or nothing. > Is this possible with Tomcat? > This is in the FAQ. > Kind regards, > > Chris Williams. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
