Hi, people.
We have Tomcat with two factor authentication when access to
/some/pagerequested.
Auth configured with JDBCRealm & Oracle database:
<Realm className="org.apache.catalina.realm.JDBCRealm"
driverName="oracle.jdbc.driver.OracleDriver"
...
SSL-connector:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="want" sslProtocol="TLS"
keystoreFile="/home/keystore.jks"
keyAlias="keystore"
keystorePass="password"
truststoreFile="/home/trustcacerts.jks"
truststorePass="password" />
Auth requring via web.xml:
<security-constraint>^M
<web-resource-collection>^M
<web-resource-name>*</web-resource-name>^M
<url-pattern>/some/*</url-pattern>^M
</web-resource-collection>^M
<auth-constraint>^M
<role-name>cert</role-name>^M
</auth-constraint>^M
<user-data-constraint>^M
<transport-guarantee>CONFIDENTIAL</transport-guarantee>^M
</user-data-constraint>^M
</security-constraint>^M
<login-config>^M
<auth-method>CLIENT-CERT</auth-method>^M
</login-config>^M
<security-role>^M
<role-name>cert</role-name>^M
</security-role>^M
Client's cert created with keytool:
$ keytool -genkey -alias somealias -keystore somekey.p12 -storetype PKCS12
$ keytool -export -alias somealias -file somefile.cer -keystore
somekey.p12 -storetype PKCS12
somefile.cer - imported to Tomcat's trustcacerts.jks and somekey.p12 -
to client's browsers.
User's present in trustcacerts.jks like:
somealias, 30-Jan-2014, trustedCertEntry,
Certificate fingerprint (MD5):
60:A1:CE:35:2D:5E:01:22:65:A7:26:19:9E:D6:F3:74
And present in Oracle database, like:
USER_NAME: CN=someuser, OU=Unknown, O=Unknown, L=Unknown, ST=Kiev, C=UA
ROLE_NAME: cert
(not exactly same - but about it)
Tomcat 5.5.23, running on SuSE 10. Users - on Windows7, Firefox 26.0
and Chrome 32.0.1700.76 m.
So - we have two issues.
1) Some (!) of users when connecting with Chrome got error:
Error code: ERR_SSL_PROTOCOL_ERROR
In Catalina-' log:
WARNING: Exception getting SSL attributes
javax.net.ssl.SSLHandshakeException: renegotiation is not allowed
Attempts add lines allowUnsafeLegacyRenegotiation="true" and
allowLegacyHelloMessages="true" doesn't give results (was added to
Connector or -D(option) to CATALINA_OPTS).
What else can be done? All googled tips says only about this two parametrs.
2) Using Firefox - from some machines give error 403, from others -
normal auth. It's look like (from Tomcat auth-log):
10.***.**.132 - CN=someuser, OU=**, O=company, L=Kiev, ST=Ukraine,
C=UA [30/Jan/2014:16:50:29 +0000] "GET /some/page HTTP/1.1" 403 1108
// Got auth failed;
10.***.***.132 - CN=someanotheruser, OU=**, O=company, L=Kiev,
ST=Unknown, C=UA [30/Jan/2014:16:17:29 +0000] "GET /some/page
HTTP/1.1" 200 81 // Normal result.
I only think about may be some difference in browser's configs... But
which exactly? Or - something another?
Unfortunatelly - we haven't access to tcpdump and ssldump now, so I
can't check for details.
Thanks for any tips/links.
<javascript:void 0>
powered by
nullTranslate <javascript:void 0>
<javascript:void 0>
username2 <javascript:void 0> — select a translation: null <#>
[jˈuːzənɛɪːm tˈuː]
username2 <javascript:void 0>
0
.
See also:
<http://multitran.ru/c/m.exe?CL=1&l1=1&s=username2><http://translate.google.com/#en|ru|username2><http://lingvopro.abbyyonline.com/en/Search/en-ru/username2><http://dictionary.reference.com/browse/username2><http://www.thefreedictionary.com/username2>
LinguaLeo
