Graham, On Fri, Mar 13, 2015 at 3:39 PM, Graham Leggett <minf...@sharp.fm> wrote:
> Hi all, > > I have a basic authentication setup that works great as below. > > <login-config> > <auth-method>BASIC</auth-method> > <realm-name>Patricia</realm-name> > </login-config> > > <!-- Security roles referenced by this web application --> > <security-role> > <role-name>administrator</role-name> > </security-role> > <security-role> > <role-name>underwriter</role-name> > </security-role> > <security-role> > <role-name>accountant</role-name> > </security-role> > <security-role> > <role-name>broker</role-name> > </security-role> > <security-role> > <role-name>feeds</role-name> > </security-role> > > It is backed up with a realm like this: > > <Realm className=“org.apache.catalina.realm.DataSourceRealm" > [snip] > userTable="person" userNameCol="mail" > userCredCol="user_password" > userRoleTable="company_person" roleNameCol="serial" /> > > I need to switch basic authentication to client certificates, as provided > by Apache httpd and proxied in with AJP. The username is provided by Apache > httpd in REMOTE_USER. > > In theory, changing the auth-method to CLIENT-CERT should do the trick, > but I just get forbidden. > > What doesn’t seem to fit is the realm definition - specifying userCredCol > is marked as mandatory, but this is obviously not present with a client > certificate. What do you specify in this field? > > Does anyone have a working example of authentication using client > certificates and authorization using a realm backed with a DataSource? > Here's a nice article, detailing how to add CLIENT-CERT: http://java.dzone.com/articles/enabling-client-cert-based It is based on MemoryRealm, not DataSourceRealm, but the idea is similar. Here's a summary: 1. You need to define user/pass/roles: <role rolename="secureconn"/> <user username="CN=client1, OU=Application Development, O=GoSmarter, L=Bangalore, ST=KA, C=IN" password="null" roles="secureconn"/> 2. You define in web.xml the login type: <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Demo App</realm-name> </login-config> You would get a 403 if an invalid certificate is sent based on the security constraints you set earlier. Ultimately, you need to turn on extra logging on that realm so you would know why the 403s were generated. Try doing some online searching for the type of errors you got. Here's what pops up in my quick google search: http://stackoverflow.com/questions/5086457/setting-up-client-cert-authentication-with-roles-on-tomcat-6-0 This person had an issue how CNs were handled, and as a result extra inserted spaces between commas, e.g. (1) no spaces: "CN=testuser,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" (2) with spaces: "CN=testuser, O=Internet Widgits Pty Ltd, ST=Some-State, C=AU" The issue was how X509Principal.getName() call returned: X500Principal.RFC2253 X500Principal.RFC1779 Let us know what you find by turning on extra logging. Cheers! Neven
