My server.xml file has:
<Connector port="8443"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile
="/home/tomcat/jakarta-tomcat-5.0.19/conf/ssl/server/server.ks" />
The tomcat-users.xml file has:
<role rolename="certs"/>
<user username="[EMAIL PROTECTED], CN=Idoia, OU=INFOTECH,
O=ROBOTIKER, L=ZAMUDIO, ST=BIZKAIA, C=ES" password="null" roles="certs"/>
The web.xml file of the application is:
<?xml version="1.0" encoding="windows-1252"?>
<!DOCTYPE web-app PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application
2.3//EN" "http://java.sun.com/dtd/web-app_2_3.dtd";>
<web-app>
<description>Empty web.xml file for Web Application</description>
<session-config>
<session-timeout>35</session-timeout>
</session-config>
<mime-mapping>
<extension>html</extension>
<mime-type>text/html</mime-type>
</mime-mapping>
<mime-mapping>
<extension>txt</extension>
<mime-type>text/plain</mime-type>
</mime-mapping>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
<welcome-file>index.html</welcome-file>
</welcome-file-list>
<resource-ref>
<description>Saturn database</description>
<res-ref-name>jdbc/saturn</res-ref-name>
<res-type>javax.sql.DataSource</res-type>
<res-auth>SERVLET</res-auth>
</resource-ref>
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected
Area</web-resource-name>
<url-pattern>/pim.htm</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>certs</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>certs</role-name>
</security-role>
</web-app>
When I startup Tomcat I get the following message in "catalina.out" log
file:
24-mar-2004 17:37:55
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener createMBeans
GRAVE: Exception creating UserDatabase MBeans for UserDatabase
javax.management.MalformedObjectNameException: Invalid character '=' in
value part of property
at javax.management.ObjectName.construct(ObjectName.java:563)
at javax.management.ObjectName.<init>(ObjectName.java:1300)
at
org.apache.catalina.mbeans.MBeanUtils.createObjectName(MBeanUtils.java:1520)
at
org.apache.catalina.mbeans.MBeanUtils.createMBean(MBeanUtils.java:783)
at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:280)
at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:210)
at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.createMBeans(GlobalResourcesLifecycleListener.java:172)
at
org.apache.catalina.mbeans.GlobalResourcesLifecycleListener.lifecycleEvent(GlobalResourcesLifecycleListener.java:144)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:2338)
at org.apache.catalina.startup.Catalina.start(Catalina.java:594)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:297)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:398)
And when I access the "/pim.htm" page via SSL and port 8443 it gives me a
Tomcat error in the navigator (HTTP 401). It is in Spanish, but in English
it would be something like:
HTTP 401 Status - Impossible to authenticate with provided credentials
type: status report
message: Impossible to authenticate with provided credentials
description: This requirement requires HTTP authentication (Impossible to
authenticate with provided credentials)
The client certificate is signed by a CA recognised by Tomcat, because when
I access other pages via SSL and port 8443, Tomcat gives no eror and
accepts the client certificate.
Regards,
Idoia
"Mark Thomas"
<[EMAIL PROTECTED] Para: "'Tomcat Users List'"
<[EMAIL PROTECTED]>
> cc:
Asunto: RE: tomcat certificate
24/03/04 20:47
Por favor,
responda a
"Tomcat Users
List"
This works for me.
Can you post the equivalent sections of your configuration files so I can
compare them to mine?
Thanks,
Mark
> -----Original Message-----
> From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED]
> Sent: Wednesday, March 24, 2004 7:51 AM
> To: Tomcat Users List
> Subject: RE: tomcat certificate
>
>
> We are using Tomcat 5.0.19 over Linux.
>
> Idoia
>
>
>
>
>
> "Mark Thomas"
>
>
> <[EMAIL PROTECTED] Para:
> "'Tomcat Users List'" <[EMAIL PROTECTED]>
>
> > cc:
>
>
> Asunto: RE:
> tomcat certificate
>
> 23/03/04 20:32
>
>
> Por favor,
>
>
> responda a
>
>
> "Tomcat Users
>
>
> List"
>
>
>
>
>
>
>
>
>
>
>
> Which version of tomact are you using?
>
> Mark
>
> > -----Original Message-----
> > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED]
> > Sent: Tuesday, March 23, 2004 5:00 PM
> > To: Tomcat Users List
> > Subject: RE: tomcat certificate
> >
> >
> > I have configured the files as you said in the e-mail, but
> > when I start
> > Tomcat I get the following error in "catalina.out" file:
> > Exception creating UserDatabase MBeans for UserDatabase
> > javax.management.MalformedObjectNameException: Invalid
> > character '=' in
> > value part of property
> >
> > And it is because of the following property value in the
> > "tomcat-users.xml"
> > file:
> > username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY, ST=ZZZ, C=GB"
> > It seems tomcat does not like the �=' character inside a
> > property value.
> > I have also tried writing:
> > username="CN\=Mark Thomas, OU\=WWW, O\=XXX, L\=YYY, ST\=ZZZ, C\=GB"
> > But I still get the same error.
> >
> > Don�t you get the same error message? How can I avoid this?
> >
> > Thanks in advance and regards,
> > Idoia
> >
> >
> >
> >
> >
> >
> >
> > "Mark Thomas"
> >
> >
> > <[EMAIL PROTECTED] Para:
> > "'Tomcat Users List'" <[EMAIL PROTECTED]>
> >
> > > cc:
> >
> >
> > Asunto: RE:
> > tomcat certificate
> >
> > 18/03/04 20:46
> >
> >
> > Por favor,
> >
> >
> > responda a
> >
> >
> > "Tomcat Users
> >
> >
> > List"
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > The important files are:
> > server.xml:
> > <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> > port="8443" minProcessors="5" maxProcessors="75"
> > enableLookups="true"
> > acceptCount="100" debug="0" scheme="https" secure="true"
> > useURIValidationHack="false"
> > disableUploadTimeout="true">
> > <Factory className
> > ="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> > keystoreFile="conf/.keystore"
> > clientAuth="false" protocol="TLS" />
> > </Connector>
> > ...
> > <Realm className="org.apache.catalina.realm.MemoryRealm" />
> >
> > tomcat-users.xml:
> > <user username="CN=Mark Thomas, OU=WWW, O=XXX, L=YYY,
> ST=ZZZ, C=GB"
> > password="null" roles="tomcat,certs"/>
> >
> > web.xml:
> > <?xml version="1.0" encoding="ISO-8859-1"?>
> >
> > <!DOCTYPE web-app
> > PUBLIC "-//Sun Microsystems, Inc.//DTD Web Application 2.3//EN"
> > "http://java.sun.com/dtd/web-app_2_3.dtd";>
> >
> > <web-app>
> >
> > <display-name>Bug 12218</display-name>
> > <description>
> > Test web app for bug 12218.
> > </description>
> >
> > <security-constraint>
> > <web-resource-collection>
> > <web-resource-name>App</web-resource-name>
> > <url-pattern>/protected.jsp</url-pattern>
> > </web-resource-collection>
> > <auth-constraint>
> > <role-name>tomcat</role-name>
> > </auth-constraint>
> > <user-data-constraint>
> >
> > <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> > </user-data-constraint>
> > </security-constraint>
> >
> > <login-config>
> > <auth-method>CLIENT-CERT</auth-method>
> > </login-config>
> >
> > <security-role>
> > <role-name>tomcat</role-name>
> > </security-role>
> >
> > </web-app>
> >
> >
> > The steps I tend to follow when setting this sort of thing up are:
> > 1. Build simple two page web app.
> > 2. Configure one page to require basic authentication
> > 3. Test basic auth - checks tomcat-users.xml and realm set up
> > correctly
> > 4. Configure SSL
> > 5. Test http://localhost:8443/ - checks SSL set up
> > 6. Test app with SSL - not really necessary but best to double check
> > 7. Reconfigure app to use CLIENT-CERT
> >
> > > -----Original Message-----
> > > From: Idoia Murua Belacortu [mailto:[EMAIL PROTECTED]
> > > Sent: Thursday, March 18, 2004 8:01 AM
> > > To: Tomcat Users List
> > > Subject: RE: tomcat certificate
> > >
> > >
> > > Could you send us a sample of that "web.xml" file?
> > > I am also using client certificates over SSL with Tomcat,
> > > but as I could
> > > not find much information about it in Tomcat I configured it
> > > with Apache.
> > >
> > > Idoia
> > >
> > >
> > >
> > >
> > >
> > > "Mark Thomas"
> > >
> > >
> > > <[EMAIL PROTECTED] Para:
> > > "'Tomcat Users List'" <[EMAIL PROTECTED]>
> > >
> > > > cc:
> > >
> > >
> > > Asunto: RE:
> > > tomcat certificate
> > >
> > > 17/03/04 21:22
> > >
> > >
> > > Por favor,
> > >
> > >
> > > responda a
> > >
> > >
> > > "Tomcat Users
> > >
> > >
> > > List"
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > This is not correct. Tomcat does support CLIENT-CERT
> authentication
> > > 'out-of-the-box'. When combined with appropriate
> > > authorisation constraints
> > > in
> > > web.xml you can limit access to specific URLs.
> > >
> > > I have this working quite happily.
> > >
> > > Mark
> > >
> > > > -----Original Message-----
> > > > From: Rommel Sharma [mailto:[EMAIL PROTECTED]
> > > > Sent: Monday, February 23, 2004 11:28 AM
> > > > To: Tomcat Users List
> > > > Subject: Re: tomcat certificate
> > > >
> > > > Tomcat as such on its own does not parse and validate a
> > certificate.
> > > > I don't think its possible. You can identify a client
> through the
> > > > certificate alias the client uses.
> > > > Access to specific URLs depends on the server certificate
> > > > where you specify
> > > > the URL and send the client your public key.
> > > > I think there is no automatic mechanism in Tomcat that
> studies the
> > > > certificate and allows access to specific URLs. This needs to
> > > > be implemented
> > > > by any our deployed programs.
> > > >
> > > > ----- Original Message -----
> > > > From: "secam secam" <[EMAIL PROTECTED]>
> > > > To: "Tomcat Users List" <[EMAIL PROTECTED]>
> > > > Sent: Monday, February 23, 2004 4:17 PM
> > > > Subject: Re: tomcat certificate
> > > >
> > > > > Thanks,
> > > > >
> > > > > Here is my real problem,
> > > > >
> > > > > I've got an external server that authentificate user
> > and deliver a
> > > > certicate with the trio User/Group/Role.
> > > > >
> > > > > In fact, i just want that the certificate give information
> > > > of the user to
> > > > tomcat in order to permit the access to some specifics url.
> > > > >
> > > > > Is it possible?
> > > > >
> > > > > Regard's
> > > > >
> > > > > Secam
> > > > >
> > > > > Rommel Sharma <[EMAIL PROTECTED]> wrote:
> > > > > If you mean two way authentication using SSL, then you have
> > > > to write the
> > > > > code that reads clients certificate and matches it with one
> > > > present in
> > > > > client keystore on the server. You enable client
> > authentication in
> > > > > server.xml for this and specify the serverkeystore and
> > > > password in it.
> > > > > Regards,
> > > > > Rommel Sharma.
> > > > >
> > > > > ----- Original Message -----
> > > > > From: "secam secam"
> > > > > To:
> > > > > Sent: Monday, February 23, 2004 3:30 PM
> > > > > Subject: tomcat certificate
> > > > >
> > > > > > hello,
> > > > > >
> > > > > > I'm a new user of tomcat.
> > > > > > Can tomcat authenticate a user with a certifcate ?
> > > > > >
> > > > > > Thanks,
> > > > > > Secam
> > > > > >
> > > > > >
> > > > > > ---------------------------------
> > > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > > > suit partout !
> > > > > > Cr�ez votre Yahoo! Mail
> > > > >
> > > > > *********************************************************
> > > > > Disclaimer
> > > > >
> > > > > This message (including any attachments) contains
> > > > > confidential information intended for a specific
> > > > > individual and purpose, and is protected by law.
> > > > > If you are not the intended recipient, you should
> > > > > delete this message and are hereby notified that
> > > > > any disclosure, copying, or distribution of this
> > > > > message, or the taking of any action based on it,
> > > > > is strictly prohibited.
> > > > >
> > > > > *********************************************************
> > > > > Visit us at http://www.mahindrabt.com
> > > > >
> > > > >
> > > > >
> > > > >
> > > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > > To unsubscribe, e-mail:
> > [EMAIL PROTECTED]
> > > > > For additional commands, e-mail:
> > > [EMAIL PROTECTED]
> > > > >
> > > > >
> > > > > ---------------------------------
> > > > > Yahoo! Mail : votre e-mail personnel et gratuit qui vous
> > > > suit partout !
> > > > > Cr�ez votre Yahoo! Mail
> > > >
> > > > *********************************************************
> > > > Disclaimer
> > > >
> > > > This message (including any attachments) contains
> > > > confidential information intended for a specific
> > > > individual and purpose, and is protected by law.
> > > > If you are not the intended recipient, you should
> > > > delete this message and are hereby notified that
> > > > any disclosure, copying, or distribution of this
> > > > message, or the taking of any action based on it,
> > > > is strictly prohibited.
> > > >
> > > > *********************************************************
> > > > Visit us at http://www.mahindrabt.com
> > > >
> > > >
> > > >
> > > >
> > > >
> > >
> >
> ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail:
> [EMAIL PROTECTED]
> > > > For additional commands, e-mail:
> > [EMAIL PROTECTED]
> > > >
> > > >
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> > >
> > > Idoia Murua Belacortu
> > > Dpto. de Sistemas de Informaci�n y Telecomunicaciones
> > > Information Systems & Telecommunications Dept.
> > > ROBOTIKER, Corporaci�n Tecnol�gica TECNALIA.
> > > Parque Tecnol�gico, Edificio 202. E-48170 Zamudio
> (Bizkaia) (SPAIN).
> > > Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99
> > > [EMAIL PROTECTED], www.robotiker.com
> > >
> > > "Este correo electr�nico contiene informaci�n privada
> > > que puede estar
> > > legalmente protegida, parcial o totalmente. Es s�lo
> > > para uso del
> > > destinatario al que est� dirigido. Si ha recibido este
> > > mensaje por error,
> > > le rogamos que lo notifique al remitente del email y que
> > > adem�s borre de su
> > > sistema el mensaje as� como todas sus copias,
> > > incluyendo las posibles
> > > copias del mismo en su disco duro, y se abstenga de
> > > usar, revelar,
> > > distribuir a terceros, imprimir o copiar ninguna de las
> > > partes de este
> > > mensaje".
> > > "Mezu elektroniko honek informazio pribatua du, partzialki
> > > edo osorik legez
> > > babestuta egon daitekeena. Bidali nahi zaion
> > > hartzaileak erabiltzeko
> > > bakarrik da. Mezu hau hutsegite baten ondorioz jaso
> > > baduzu, mesedez,
> > > mezuaren igorleari jakinaraztea eta mezua eta horren
> > > kopia guztiak
> > > ezabatzea eskatzen dizugu, disko gogorrean izan
> > > ditzakezunak barne. Eta,
> > > orobat, ez erabili mezu honen zatirik, ez eta erakutsi,
> > > beste pertsona
> > > batzuei banatu, inprimatu edo berridatzi ere".
> > > "This e-mail contains proprietary information some or all
> > > of which may be
> > > legally protected. It is for sole use of the intended
> > > recipient only. If
> > > you have received this message by mistake, you are requested
> > > to notify the
> > > e-mail sender and erase both the message and any copies
> > > from your system,
> > > including hard disk copies. You are further requested
> > > to refrain from
> > > using, distributing to third parties, printing or making
> > > copies of any
> > > parts of this message".
> > >
> > >
> > >
> > >
> > >
> > >
> >
> ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > > For additional commands, e-mail:
> [EMAIL PROTECTED]
> > >
> > >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> >
> > Idoia Murua Belacortu
> > Dpto. de Sistemas de Informaci�n y Telecomunicaciones
> > Information Systems & Telecommunications Dept.
> > ROBOTIKER, Corporaci�n Tecnol�gica TECNALIA.
> > Parque Tecnol�gico, Edificio 202. E-48170 Zamudio (Bizkaia) (SPAIN).
> > Tel: (34) 94 600 22 66. Fax: (34) 94 600 22 99
> > [EMAIL PROTECTED], www.robotiker.com
> >
> > "Este correo electr�nico contiene informaci�n privada
> > que puede estar
> > legalmente protegida, parcial o totalmente. Es s�lo
> > para uso del
> > destinatario al que est� dirigido. Si ha recibido este
> > mensaje por error,
> > le rogamos que lo notifique al remitente del email y que
> > adem�s borre de su
> > sistema el mensaje as� como todas sus copias,
> > incluyendo las posibles
> > copias del mismo en su disco duro, y se abstenga de
> > usar, revelar,
> > distribuir a terceros, imprimir o copiar ninguna de las
> > partes de este
> > mensaje".
> > "Mezu elektroniko honek informazio pribatua du, partzialki
> > edo osorik legez
> > babestuta egon daitekeena. Bidali nahi zaion
> > hartzaileak erabiltzeko
> > bakarrik da. Mezu hau hutsegite baten ondorioz jaso
> > baduzu, mesedez,
> > mezuaren igorleari jakinaraztea eta mezua eta horren
> > kopia guztiak
> > ezabatzea eskatzen dizugu, disko gogorrean izan
> > ditzakezunak barne. Eta,
> > orobat, ez erabili mezu honen zatirik, ez eta erakutsi,
> > beste pertsona
> > batzuei banatu, inprimatu edo berridatzi ere".
> > "This e-mail contains proprietary information some or all
> > of which may be
> > legally protected. It is for sole use of the intended
> > recipient only. If
> > you have received this message by mistake, you are requested
> > to notify the
> > e-mail sender and erase both the message and any copies
> > from your system,
> > including hard disk copies. You are further requested
> > to refrain from
> > using, distributing to third parties, printing or making
> > copies of any
> > parts of this message".
> >
> >
> >
> >
> >
> >
> ---------------------------------------------------------------------
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
