Thanks, I'm not using browsers, this is for application-to-application security. I have a test application which has its own keystore, its certs and tomcat's certs are in its store. Its certs and tomcats certs are in tomcats store. They are in a chain from a trusted authority. This all works perfectly if client-auth=true on the 443 connector. So it does not appear to be a certs problem. It fails when I set client-auth to false and set client-cert to true on the application deployment descriptor.
I would be happy to turn commons-logging to the values you suggest, but don't have a clue how to do that. (is this a -D parameter to tomcat?) Thanks for the assistance, if you can point me to some documentation on changing logging (and also if possible on how to write your own realms) I would be grateful. TIA, Bill On 28 Oct 2003 at 23:10, Bill Barker wrote: > > "Bill Harrelson" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > Thank you very much. It's nice to find people that know this stuff. > > > > Unfortunately > req.getAttribute("org.apache.coyote.request.X509Certificate"); > > > > also returns null when CLIENT-AUTH is set to false. Do I have some > configuration problem > > I don't know about? > > IFAIK, all of MSIE/Netscape7/Mozilla will automatically reject certs > that haven't got a signer in (the for want of a better word :) > TrustStore. Of course, you have to include your signer in Tomcat's > TrustStore (or the cert will be rejected). > > It would be helpful if you could turn up your commons-logging level to > 'debug', or even 'trace' for the 'org.apache.tomcat.net' Selector, and > report back. > > > > > I have seen several mentions on newsgroups that these attributes > > are > supposed to work, > > but nobody talks about whether client-auth is set to true or false. > > They > work just fine if > > client-auth is true. I'm hoping there's a solution if client-auth > > is > false, as tomcat (or coyote) > > certainly gets the certificate according to javax.net.debug=all, and > validates it as known to > > its keystore, it's hard to believe that it just throws it away. I'm > trying to set context for my > > application based on which company is connecting by looking up the > DN/PubKey in an > > internal database. The request gets through to the application, I > > just > can't get the cert. > > > > The idea of using CLIENT-CERT with my own realm is an interesting > > one. I > guess you're > > saying that CLIENT-CERT on the application works exactly like > CLIENT-AUTH=TRUE > > works for the Coyote connector which I had hoped but hadn't found to > > be > true, but that may > > be the realm problem). > > > > Okay, so I wrote my own realm and put it in the application context > > like > this (modeled on > > JDBCRealm): > > <Context path="/Application" docBase="Reflector" debug="0" > > crossContext="true" > > > <Realm className="com.myco.myappname.myRealm" debug="99" > > driverName="sun.jdbc.odbc.JdbcOdbcDriver" > > connectionURL="jdbc:odbc:CATALINA2"/> > > </Context> > > > > and in my app deployment-descriptor: > > > > <login-config> > > <auth-method>CLIENT-CERT</auth-method> > > <realm-name>myApp Certificates Realm</realm-name> > > </login-config> > > > > I get the Realm to start and see the startup messages, (after > > putting an > large! number of > > jars in the classpath) and I still get this error from the app: > > > > <snip> > > E> </head><body><h1>HTTP Status 400 - No client certificate chain in > > this > reques > > t</h1><HR size="1" noshade><p><b>type</b> Status > report</p><p><b>message</b> > > <u> > > No client certificate chain in this > > request</u></p><p><b>description</b> > <u>The > > request sent by the client was syntactically incorrect (No client > certificate ch > > ain in this request).</u></p><HR size="1" noshade><h3>Apache > Tomcat/4.1.24</h3>< > > /body></html> > > </snip> > > > > The certificate never gets into my Realm for authorization. But of > > course > it does if I set > > CLIENT-AUTH to true. > > > > What am I doing wrong? > > > > Thanks in advance, > > > > Bill > > > > > > > > On 26 Oct 2003 at 14:39, Bill Barker wrote: > > > > > > > > "Bill Harrelson" <[EMAIL PROTECTED]> wrote in message > > > news:[EMAIL PROTECTED] > > > > To whoever can help: > > > > > > > > I have an application which requires certificates, and a bunch > > > > of servlets which don't. In my application I need to determine > > > > the originating client of the certificate-based connection > > > > (which comes from an enterprise application). I can do this if > > > > I can get access to either the request Principal, or the > > > > certificate itself. > > > > > > > > I have tried to use > > > > req.getUserPrincipal(); > > > > req.getAttribute("javax.servlet.request.X509Certificate"); and > > > > req.getAttribute("javax.net.ssl.peer_certificates"); > > > > > > > > > > This is specific to Tomcat 4.1 and higher, but: > > > req.getAttribute("org.apache.coyote.request.X509Certificate"); > > > > > > should work. Of course, this ties your application to Tomcat and > > > there is no guarantee that future versions of Tomcat will continue > > > to support it (although currently 5.0 does). > > > > > > > all return null unless CLIENT-AUTH=true in server.xml is set, > > > > (in which case the x509cert attribute returns the cert chain > > > > the rest > > > > always return null) > > > > but this requires certificates for all access which is what I > > > > don't want. > > > > > > > > I also tried setting <Valve > > > > className="org.apache.catalina.valves.CertificatesValve" > > > > certificates="true" debug="1"/> > > > > in the context for the application but it didn't seem to help. > > > > > > > > > > CertificatesValve does nothing if you are using the Coyote > > > connectors. > > > > > > > I've also tried various combinations with CLIENT-CERT > > > > authorization in the deployment descriptor for the application. > > > > Some of the combinations simly block the interaction (saying no > > > > client-cert presented, when there is one.) > > > > > > > > > > This is the usual way. However, you have to use MemoryRealm, and > > > enter the DN of all of your certs into tomcat-users.xml. > > > Alternatively, you write your own Realm that decides which certs > > > you like. > > > > > > > I'm running 4.1.24 and 4.1.27 on XP Pro and Win2000. > > > > > > > > Can anyone help? > > > > > > > > Thanks, > > > > > > > > Bill > > > > > > > > > > > > > > > ------------------------------------------------------------------ > > > --- To unsubscribe, e-mail: > > > [EMAIL PROTECTED] For additional > > > commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] For > additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
