This works for me. Can you post the equivalent sections of your configuration files so I can compare them to mine?
Thanks, Mark > -----Original Message----- > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED] > Sent: Wednesday, March 24, 2004 7:51 AM > To: Tomcat Users List > Subject: RE: tomcat certificate > > > We are using Tomcat 5.0.19 over Linux. > > Idoia > > > > > > "Mark Thomas" > > > <[EMAIL PROTECTED] Para: > "'Tomcat Users List'" <[EMAIL PROTECTED]> > > > cc: > > > Asunto: RE: > tomcat certificate > > 23/03/04 20:32 > > > Por favor, > > > responda a > > > "Tomcat Users > > > List" > > > > > > > > > > > > Which version of tomact are you using? > > Mark > > > -----Original Message----- > > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED] > > Sent: Tuesday, March 23, 2004 5:00 PM > > To: Tomcat Users List > > Subject: RE: tomcat certificate > > > > > > I have configured the files as you said in the e-mail, but > > when I start > > Tomcat I get the following error in "catalina.out" file: > > Exception creating UserDatabase MBeans for UserDatabase > > javax.management.MalformedObjectNameException: Invalid > > character '=' in > > value part of property > > > > And it is because of the following property value in the > > "tomcat-users.xml" > > file: > > username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB" > > It seems tomcat does not like the �=' character inside a > > property value. > > I have also tried writing: > > username="CN\=Mark Thomas, OU\=WWW, O\=XXX, L\=YYY, ST\=ZZZ, C\=GB" > > But I still get the same error. > > > > Don�t you get the same error message? How can I avoid this? > > > > Thanks in advance and regards, > > Idoia > > > > > > > > > > > > > > > > "Mark Thomas" > > > > > > <[EMAIL PROTECTED] Para: > > "'Tomcat Users List'" <[EMAIL PROTECTED]> > > > > > cc: > > > > > > Asunto: RE: > > tomcat certificate > > > > 18/03/04 20:46 > > > > > > Por favor, > > > > > > responda a > > > > > > "Tomcat Users > > > > > > List" > > > > > > > > > > > > > > > > > > > > > > > > The important files are: > > server.xml: > > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector" > > port="8443" minProcessors="5" maxProcessors="75" > > enableLookups="true" > > acceptCount="100" debug="0" scheme="https" secure="true" > > useURIValidationHack="false" > > disableUploadTimeout="true"> > > <Factory className > > ="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" > > keystoreFile="conf/.keystore" > > clientAuth="false" protocol="TLS" /> > > </Connector> > > ... > > <Realm className="org.apache.catalina.realm.MemoryRealm" /> > > > > tomcat-users.xml: > > <user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, > ST=ZZZ, C=GB" > > password="null" roles="tomcat,certs"/> > > > > web.xml: > > <?xml version="1.0" encoding="ISO-8859-1"?> > > > > <!DOCTYPE web-app > > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN" > > "http://java.sun.com/dtd/web-app_2_3.dtd";> > > > > <web-app> > > > > <display-name>Bug 12218</display-name> > > <description> > > Test web app for bug 12218. > > </description> > > > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>App</web-resource-name> > > <url-pattern>/protected.jsp</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>tomcat</role-name> > > </auth-constraint> > > <user-data-constraint> > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > > > <login-config> > > <auth-method>CLIENT-CERT</auth-method> > > </login-config> > > > > <security-role> > > <role-name>tomcat</role-name> > > </security-role> > > > > </web-app> > > > > > > The steps I tend to follow when setting this sort of thing up are: > > 1. Build simple two page web app. > > 2. Configure one page to require basic authentication > > 3. Test basic auth - checks tomcat-users.xml and realm set up > > correctly > > 4. Configure SSL > > 5. Test http://localhost:8443/ - checks SSL set up > > 6. Test app with SSL - not really necessary but best to double check > > 7. Reconfigure app to use CLIENT-CERT > > > > > -----Original Message----- > > > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED] > > > Sent: Thursday, March 18, 2004 8:01 AM > > > To: Tomcat Users List > > > Subject: RE: tomcat certificate > > > > > > > > > Could you send us a sample of that "web.xml" file? > > > I am also using client certificates over SSL with Tomcat, > > > but as I could > > > not find much information about it in Tomcat I configured it > > > with Apache. > > > > > > Idoia > > > > > > > > > > > > > > > > > > "Mark Thomas" > > > > > > > > > <[EMAIL PROTECTED] Para: > > > "'Tomcat Users List'" <[EMAIL PROTECTED]> > > > > > > > cc: > > > > > > > > > Asunto: RE: > > > tomcat certificate > > > > > > 17/03/04 21:22 > > > > > > > > > Por favor, > > > > > > > > > responda a > > > > > > > > > "Tomcat Users > > > > > > > > > List" > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > This is not correct. Tomcat does support CLIENT-CERT > authentication > > > 'out-of-the-box'. When combined with appropriate > > > authorisation constraints > > > in > > > web.xml you can limit access to specific URLs. > > > > > > I have this working quite happily. > > > > > > Mark > > > > > > > -----Original Message----- > > > > From: Rommel Sharma [mailto:[EMAIL PROTECTED] > > > > Sent: Monday, February 23, 2004 11:28 AM > > > > To: Tomcat Users List > > > > Subject: Re: tomcat certificate > > > > > > > > Tomcat as such on its own does not parse and validate a > > certificate. > > > > I don't think its possible. You can identify a client > through the > > > > certificate alias the client uses. > > > > Access to specific URLs depends on the server certificate > > > > where you specify > > > > the URL and send the client your public key. > > > > I think there is no automatic mechanism in Tomcat that > studies the > > > > certificate and allows access to specific URLs. This needs to > > > > be implemented > > > > by any our deployed programs. > > > > > > > > ----- Original Message ----- > > > > From: "secam secam" <[EMAIL PROTECTED]> > > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > > Sent: Monday, February 23, 2004 4:17 PM > > > > Subject: Re: tomcat certificate > > > > > > > > > Thanks, > > > > > > > > > > Here is my real problem, > > > > > > > > > > I've got an external server that authentificate user > > and deliver a > > > > certicate with the trio User/Group/Role. > > > > > > > > > > In fact, i just want that the certificate give information > > > > of the user to > > > > tomcat in order to permit the access to some specifics url. > > > > > > > > > > Is it possible? > > > > > > > > > > Regard's > > > > > > > > > > Secam > > > > > > > > > > Rommel Sharma <[EMAIL PROTECTED]> wrote: > > > > > If you mean two way authentication using SSL, then you have > > > > to write the > > > > > code that reads clients certificate and matches it with one > > > > present in > > > > > client keystore on the server. You enable client > > authentication in > > > > > server.xml for this and specify the serverkeystore and > > > > password in it. > > > > > Regards, > > > > > Rommel Sharma. > > > > > > > > > > ----- Original Message ----- > > > > > From: "secam secam" > > > > > To: > > > > > Sent: Monday, February 23, 2004 3:30 PM > > > > > Subject: tomcat certificate > > > > > > > > > > > hello, > > > > > > > > > > > > I'm a new user of tomcat. > > > > > > Can tomcat authenticate a user with a certifcate ? > > > > > > > > > > > > Thanks, > > > > > > Secam > > > > > > > > > > > > > > > > > > --------------------------------- > > > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous > > > > suit partout ! > > > > > > Cr�ez votre Yahoo! Mail > > > > > > > > > > ********************************************************* > > > > > Disclaimer > > > > > > > > > > This message (including any attachments) contains > > > > > confidential information intended for a specific > > > > > individual and purpose, and is protected by law. > > > > > If you are not the intended recipient, you should > > > > > delete this message and are hereby notified that > > > > > any disclosure, copying, or distribution of this > > > > > message, or the taking of any action based on it, > > > > > is strictly prohibited. > > > > > > > > > > ********************************************************* > > > > > Visit us at http://www.mahindrabt.com > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: > > [EMAIL PROTECTED] > > > > > For additional commands, e-mail: > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------- > > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous > > > > suit partout ! > > > > > Cr�ez votre Yahoo! Mail > > > > > > > > ********************************************************* > > > > Disclaimer > > > > > > > > This message (including any attachments) contains > > > > confidential information intended for a specific > > > > individual and purpose, and is protected by law. > > > > If you are not the intended recipient, you should > > > > delete this message and are hereby notified that > > > > any disclosure, copying, or distribution of this > > > > message, or the taking of any action based on it, > > > > is strictly prohibited. > > > > > > > > ********************************************************* > > > > Visit us at http://www.mahindrabt.com > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: > [EMAIL PROTECTED] > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > Idoia Murua Belacortu > > > Dpto. de Sistemas de Informaci�n y Telecomunicaciones > > > Information Systems & Telecommunications Dept. > > > ROBOTIKER, Corporaci�n Tecnol�gica TECNALIA. > > > Parque Tecnol�gico, Edificio 202. E-48170 Zamudio > (Bizkaia) (SPAIN). > > > Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99 > > > [EMAIL PROTECTED], www.robotiker.com > > > > > > "Este correo electr�nico contiene informaci�n privada > > > que puede estar > > > legalmente protegida, parcial o totalmente. Es s�lo > > > para uso del > > > destinatario al que est� dirigido. Si ha recibido este > > > mensaje por error, > > > le rogamos que lo notifique al remitente del email y que > > > adem�s borre de su > > > sistema el mensaje as� como todas sus copias, > > > incluyendo las posibles > > > copias del mismo en su disco duro, y se abstenga de > > > usar, revelar, > > > distribuir a terceros, imprimir o copiar ninguna de las > > > partes de este > > > mensaje". > > > "Mezu elektroniko honek informazio pribatua du, partzialki > > > edo osorik legez > > > babestuta egon daitekeena. Bidali nahi zaion > > > hartzaileak erabiltzeko > > > bakarrik da. Mezu hau hutsegite baten ondorioz jaso > > > baduzu, mesedez, > > > mezuaren igorleari jakinaraztea eta mezua eta horren > > > kopia guztiak > > > ezabatzea eskatzen dizugu, disko gogorrean izan > > > ditzakezunak barne. Eta, > > > orobat, ez erabili mezu honen zatirik, ez eta erakutsi, > > > beste pertsona > > > batzuei banatu, inprimatu edo berridatzi ere". > > > "This e-mail contains proprietary information some or all > > > of which may be > > > legally protected. It is for sole use of the intended > > > recipient only. If > > > you have received this message by mistake, you are requested > > > to notify the > > > e-mail sender and erase both the message and any copies > > > from your system, > > > including hard disk copies. You are further requested > > > to refrain from > > > using, distributing to third parties, printing or making > > > copies of any > > > parts of this message". > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: > [EMAIL PROTECTED] > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > Idoia Murua Belacortu > > Dpto. de Sistemas de Informaci�n y Telecomunicaciones > > Information Systems & Telecommunications Dept. > > ROBOTIKER, Corporaci�n Tecnol�gica TECNALIA. > > Parque Tecnol�gico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN). > > Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99 > > [EMAIL PROTECTED], www.robotiker.com > > > > "Este correo electr�nico contiene informaci�n privada > > que puede estar > > legalmente protegida, parcial o totalmente. Es s�lo > > para uso del > > destinatario al que est� dirigido. Si ha recibido este > > mensaje por error, > > le rogamos que lo notifique al remitente del email y que > > adem�s borre de su > > sistema el mensaje as� como todas sus copias, > > incluyendo las posibles > > copias del mismo en su disco duro, y se abstenga de > > usar, revelar, > > distribuir a terceros, imprimir o copiar ninguna de las > > partes de este > > mensaje". > > "Mezu elektroniko honek informazio pribatua du, partzialki > > edo osorik legez > > babestuta egon daitekeena. Bidali nahi zaion > > hartzaileak erabiltzeko > > bakarrik da. Mezu hau hutsegite baten ondorioz jaso > > baduzu, mesedez, > > mezuaren igorleari jakinaraztea eta mezua eta horren > > kopia guztiak > > ezabatzea eskatzen dizugu, disko gogorrean izan > > ditzakezunak barne. Eta, > > orobat, ez erabili mezu honen zatirik, ez eta erakutsi, > > beste pertsona > > batzuei banatu, inprimatu edo berridatzi ere". > > "This e-mail contains proprietary information some or all > > of which may be > > legally protected. It is for sole use of the intended > > recipient only. If > > you have received this message by mistake, you are requested > > to notify the > > e-mail sender and erase both the message and any copies > > from your system, > > including hard disk copies. You are further requested > > to refrain from > > using, distributing to third parties, printing or making > > copies of any > > parts of this message". > > > > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
