alright, i've spent most of the day on this - i'm running tomcat 4..0.3
with a JNDIRealm and i CANNOT get CLIENT-CERT authentication to work.
- i have a client cert installed in IE
- web.xml is set to CLIENT-CERT
- IE is including the cert chain in the request
- Tomcat validates the cert chain
- I always get 'Cannot authenticate with the provided credentials'
i dove into the source code only to realize the
JNDIRealm.getPrincipal(String username) always returns null. JDBCRealm
is the same - sorry, but i must be missing something - how can
client-cert authentication work if the cert is never authenticated
against the realm? any info would be greatly appreciated. code path is
shown below:
SSLAuthenticator ----
public boolean authenticate(HttpRequest request,
HttpResponse response,
LoginConfig config)
...
// Authenticate the specified certificate chain
principal = context.getRealm().authenticate(certs);
if (principal == null) {
if (debug >= 1)
log(" Realm.authenticate() returned false");
hres.sendError(HttpServletResponse.SC_UNAUTHORIZED,
sm.getString("authenticator.unauthorized"));
return (false);
}
RealmBase ---- (this method does not exist on JNDIRealm)
public Principal authenticate(X509Certificate certs[]) {
...
// Check the existence of the client Principal in our database
return (getPrincipal(certs[0].getSubjectDN().getName()));
}
JNDIRealm ---- (abstract on RealmBase)
protected Principal getPrincipal(String username) {
return (null);
}
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
