Thank you very much. It's nice to find people that know this stuff.
Unfortunately req.getAttribute("org.apache.coyote.request.X509Certificate");
also returns null when CLIENT-AUTH is set to false. Do I have some configuration
problem
I don't know about?
I have seen several mentions on newsgroups that these attributes are supposed to
work,
but nobody talks about whether client-auth is set to true or false. They work just
fine if
client-auth is true. I'm hoping there's a solution if client-auth is false, as tomcat
(or coyote)
certainly gets the certificate according to javax.net.debug=all, and validates it as
known to
its keystore, it's hard to believe that it just throws it away. I'm trying to set
context for my
application based on which company is connecting by looking up the DN/PubKey in an
internal database. The request gets through to the application, I just can't get the
cert.
The idea of using CLIENT-CERT with my own realm is an interesting one. I guess you're
saying that CLIENT-CERT on the application works exactly like CLIENT-AUTH=TRUE
works for the Coyote connector which I had hoped but hadn't found to be true, but that
may
be the realm problem).
Okay, so I wrote my own realm and put it in the application context like this (modeled
on
JDBCRealm):
<Context path="/Application" docBase="Reflector" debug="0"
crossContext="true" >
<Realm className="com.myco.myappname.myRealm" debug="99"
driverName="sun.jdbc.odbc.JdbcOdbcDriver"
connectionURL="jdbc:odbc:CATALINA2"/>
</Context>
and in my app deployment-descriptor:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>myApp Certificates Realm</realm-name>
</login-config>
I get the Realm to start and see the startup messages, (after putting an large!
number of
jars in the classpath) and I still get this error from the app:
<snip>
E> </head><body><h1>HTTP Status 400 - No client certificate chain in this reques
t</h1><HR size="1" noshade><p><b>type</b> Status report</p><p><b>message</b>
<u>
No client certificate chain in this request</u></p><p><b>description</b> <u>The
request sent by the client was syntactically incorrect (No client certificate ch
ain in this request).</u></p><HR size="1" noshade><h3>Apache Tomcat/4.1.24</h3><
/body></html>
</snip>
The certificate never gets into my Realm for authorization. But of course it does if
I set
CLIENT-AUTH to true.
What am I doing wrong?
Thanks in advance,
Bill
On 26 Oct 2003 at 14:39, Bill Barker wrote:
>
> "Bill Harrelson" <[EMAIL PROTECTED]> wrote in message
> news:[EMAIL PROTECTED]
> > To whoever can help:
> >
> > I have an application which requires certificates, and a bunch of
> > servlets which don't. In my application I need to determine the
> > originating client of the certificate-based connection (which comes
> > from an enterprise application). I can do this if I can get access
> > to either the request Principal, or the certificate itself.
> >
> > I have tried to use
> > req.getUserPrincipal();
> > req.getAttribute("javax.servlet.request.X509Certificate"); and
> > req.getAttribute("javax.net.ssl.peer_certificates");
> >
>
> This is specific to Tomcat 4.1 and higher, but:
> req.getAttribute("org.apache.coyote.request.X509Certificate");
>
> should work. Of course, this ties your application to Tomcat and
> there is no guarantee that future versions of Tomcat will continue to
> support it (although currently 5.0 does).
>
> > all return null unless CLIENT-AUTH=true in server.xml is set,
> > (in which case the x509cert attribute returns the cert chain the
> > rest
> > always return null)
> > but this requires certificates for all access which is what I don't
> > want.
> >
> > I also tried setting <Valve
> > className="org.apache.catalina.valves.CertificatesValve"
> > certificates="true" debug="1"/>
> > in the context for the application but it didn't seem to help.
> >
>
> CertificatesValve does nothing if you are using the Coyote connectors.
>
> > I've also tried various combinations with CLIENT-CERT authorization
> > in the deployment descriptor for the application. Some of the
> > combinations simly block the interaction (saying no client-cert
> > presented, when there is one.)
> >
>
> This is the usual way. However, you have to use MemoryRealm, and
> enter the DN of all of your certs into tomcat-users.xml.
> Alternatively, you write your own Realm that decides which certs you
> like.
>
> > I'm running 4.1.24 and 4.1.27 on XP Pro and Win2000.
> >
> > Can anyone help?
> >
> > Thanks,
> >
> > Bill
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED] For
> additional commands, e-mail: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
