> Date: Sat, 3 May 2014 19:31:17 -0400 > Subject: Tomcat7 Client Certicate Authentication Using Datasource Realm Fails > From: dhayamoorthi2...@gmail.com > To: users@tomcat.apache.org > > Hi, > > In Tomcat7, we are trying to do client certificate authentication using > datasource realm. But it fails. > > Please fnd the configuration below: > > server.xml: > ---------------- > <?xml version="1.0" encoding="UTF-8" standalone="no" ?> > <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on" > className="org.apache.catalina.core.AprLifecycleListener"/> > <Listener className="org.apache.catalina.core.JasperListener"/> > <Listener > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > <Listener > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > <Listener > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> > <!-- <GlobalNamingResources><Resource auth="Container" description="User > database that can be updated and saved" > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > name="UserDatabase" pathname="conf/tomcat-users.xml" > type="org.apache.catalina.UserDatabase"/> > </GlobalNamingResources> --> > <Service name="Catalina"> > <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000" > keyAlias="masfed_server_dit" > keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" keystorePass="sso@di" > maxThreads="150" port="8443" > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > secure="true" server="Server" sslProtocol="TLS" > truststorefile="/opt/ADP/keystores/masfed_server_dit.jks" > truststorepass="sso@di" enablelookups="false"/> > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> > <Engine defaultHost="localhost" name="Catalina"> > <!-- <Realm className="org.apache.catalina.realm.MemoryRealm" > resourceName="UserDatabase"/> --> > <!-- > <Realm className="org.apache.catalina.realm.LockOutRealm"><Realm > className="org.apache.catalina.realm.UserDatabaseRealm" > resourceName="UserDatabase"/> > </Realm> > --> > <GlobalNamingResources> > <Realm className="org.apache.catalina.realm.DataSourceRealm" > dataSourceName="jdbc/FederationDS" > userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD" > userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99" > allRolesMode="authOnly" /> > </GlobalNamingResources> > > <Host appBase="webapps" autoDeploy="true" name="localhost" > unpackWARs="true"><Valve > className="org.apache.catalina.valves.AccessLogValve" directory="logs" > pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." > suffix=".txt"/> > </Host> > </Engine> > </Service> > </Server> > > > security role configuration <tomcat_base>/conf/web.xml: > --------------------------------------------------------------------------------- > > <security-role> > <role-name>masFedClient</role-name> > </security-role> > <security-constraint> > <web-resource-collection> > <web-resource-name>all</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>masFedClient</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > <login-config> > <auth-method>CLIENT-CERT</auth-method> > <!-- <realm-name>tomcat-users</realm-name> --> > <realm-name>jdbc/FederationDS</realm-name> > </login-config> > > Database has all the required tables and columns. > > But authentication fails with the below mentioned error: > > FINE: Checking validity for > '$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$' MG>this is an insane value..change it to something meaningful using [A-Z][O-9] characters MG>besides which your user_name length is WAY beyond the 15 byte allocation for the table create table T_USER ( user_name varchar(15) not null primary key, user_pass varchar(15) not null ); MG>
> May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate > FINE: Checking validity for 'CN=VeriSign Class 3 Extended Validation SSL > SGC CA, OU=Terms of use at https://www.verisign.com/rpa (c)06, OU=VeriSign > Trust Network, O="VeriSign, Inc.", C=US' > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase authenticate > FINE: Checking validity for 'CN=VeriSign Class 3 Public Primary > Certification Authority - G5, OU="(c) 2006 VeriSign, Inc. - For authorized > use only", OU=VeriSign Trust Network, O="VeriSign, Inc.", C=US' > May 03, 2014 7:16:29 PM org.apache.catalina.realm.RealmBase getPrincipal > FINE: Got user name from X509 certificate: > $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ > May 03, 2014 7:16:29 PM org.apache.catalina.authenticator.AuthenticatorBase > invoke > FINE: Failed authenticate() test > > For security purpose, I had mad the certificate cn name as $$$$$$$$$$. MG>cn is ROLE not the user_name MG>https://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html > The error message does not tell why the authentication is failing. MG>yes it does ..it cannot authenticate $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ > Do I need to enable additional logs. If so how to enable. > > Request your help in fixing this issue. > Any help would be highly appreciated. > > Thanks > Dhaya