Hi! I am newbie here. I spent a lot of time discovering that:
1. CLIENT-CERT login works only with MemoryRealm, all other predefined realms must be commented in server.xml
I don't see how this is the case. I think you are making mistakes somewhere.
2. In tomcat-user.xml there must be presented the full Subject DN of client certificate as username, instead of CN, as mentioned in mail archive. The password entered here has no meaning. To get the sample of string containing subject DN from certificate I switched off authorization and run this simple JSP: <% X509Certificate[] certs = (X509Certificate []) request.getAttribute("javax.servlet.request.X509Certificate"); X509Certificate clientCert = certs[0]; %> <%=clientCert.getSubjectDN()%>
3. It is not true that only keystores in PKSC12 format work as mentioned in mail archive. JKS is working well.
4. To work CLIENT-CERT authorization using OpenSSL is enough to import: a) CA cert. to JDK keystore ($JAVA_HOME/jre/lib/security/cacerts) b) CA cert. to Tomcat keystore, as described in mail archive. You do not need to import client certificates to the keystores.
That'all :)
Well, you should look at the authenticator.SSLAuthenticator code, as well as realm.RealmBase and other realm implementations.
-- xxxxxxxxxxxxxxxxxxxxxxxxx R�my Maucherat Developer & Consultant JBoss Group (Europe) S�RL xxxxxxxxxxxxxxxxxxxxxxxxx
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
