Hi, Thanks for your response.
Can you pls let me know the exact location where I am supposed to configure the realm in server.xml? If I place the configuration in <tomcat_base>/conf/web.xml, the configuration is applicable for all the web apps. I want all the webapplication needs to be protected. Thanks Dhaya On Sun, May 4, 2014 at 8:27 AM, Konstantin Kolinko <knst.koli...@gmail.com>wrote: > 2014-05-04 3:31 GMT+04:00 Dhayanidhi sundaramoorthi > <dhayamoorthi2...@gmail.com>: > > Hi, > > > > In Tomcat7, we are trying to do client certificate authentication using > > datasource realm. But it fails. > > > > Please fnd the configuration below: > > > > server.xml: > > ---------------- > > <?xml version="1.0" encoding="UTF-8" standalone="no" ?> > > <Server port="8005" shutdown="SHUTDOWN"><Listener SSLEngine="on" > > className="org.apache.catalina.core.AprLifecycleListener"/> > > <Listener className="org.apache.catalina.core.JasperListener"/> > > <Listener > > className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> > > <Listener > > className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> > > <Listener > > className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/> > > <!-- <GlobalNamingResources><Resource auth="Container" description="User > > database that can be updated and saved" > > factory="org.apache.catalina.users.MemoryUserDatabaseFactory" > > name="UserDatabase" pathname="conf/tomcat-users.xml" > > type="org.apache.catalina.UserDatabase"/> > > </GlobalNamingResources> --> > > <Service name="Catalina"> > > <Connector SSLEnabled="true" clientAuth="true" connectionTimeout="10000" > > keyAlias="masfed_server_dit" > > keystoreFile="/opt/ADP/keystores/masfed_server_dit.jks" > keystorePass="sso@di" > > It is a public list, do you know? You may want to change your passwords. > > > maxThreads="150" port="8443" > > protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" > > secure="true" server="Server" sslProtocol="TLS" > > truststorefile="/opt/ADP/keystores/masfed_server_dit.jks" > > truststorepass="sso@di" enablelookups="false"/> > > <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/> > > <Engine defaultHost="localhost" name="Catalina"> > > <GlobalNamingResources> > > <Realm className="org.apache.catalina.realm.DataSourceRealm" > > dataSourceName="jdbc/FederationDS" > > userTable="T_USER" userNameCol="USERNAME" userCredCol="PASSWORD" > > userRoleTable="T_USER_ROLES" roleNameCol="ROLENAME" debug="99" > > allRolesMode="authOnly" /> > > This is a wrong place for a <Realm> element. Here it will be silently > ignored. > > When parsing server.xml only known and expected XML elements are > recognized. All others are silently ignored. > > I do not see a DataSource configuration anywhere. > > > </GlobalNamingResources> > > > > <Host appBase="webapps" autoDeploy="true" name="localhost" > > unpackWARs="true"><Valve > > className="org.apache.catalina.valves.AccessLogValve" directory="logs" > > pattern="%h %l %u %t "%r" %s %b" prefix="localhost_access_log." > > suffix=".txt"/> > > </Host> > > </Engine> > > </Service> > > </Server> > > > > > > security role configuration <tomcat_base>/conf/web.xml: > > The conf/web.xml file is a wrong place for your configuration. > It should be in your webapp's own WEB-INF/web.xml file, not in the global > one. > > > > --------------------------------------------------------------------------------- > > > > <security-role> > > <role-name>masFedClient</role-name> > > </security-role> > > <security-constraint> > > <web-resource-collection> > > <web-resource-name>all</web-resource-name> > > <url-pattern>/*</url-pattern> > > </web-resource-collection> > > <auth-constraint> > > <role-name>masFedClient</role-name> > > </auth-constraint> > > <user-data-constraint> > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > </user-data-constraint> > > </security-constraint> > > <login-config> > > <auth-method>CLIENT-CERT</auth-method> > > <!-- <realm-name>tomcat-users</realm-name> --> > > <realm-name>jdbc/FederationDS</realm-name> > > The realm-name is the message shown to users when using DIGEST or > BASIC authentication. > It has not relation to Tomcat's realms. > > > </login-config> > > > > Database has all the required tables and columns. > > > (...) > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
