this is Tomcat 9.0 running embedded

I am trying to authorize access by client certificate. I want the
servlet response to be tailored to the user's role. In other words I
am not looking to deny access by role.

The connector has sslCon.setProperty("clientAuth", "required");
The context has a config file set serverAppContext.setConfigFile(contextURL);
The config file contains

<?xml version="1.0" encoding="UTF-8"?>
  <Realm className="org.apache.catalina.realm.MemoryRealm"

users.xml contains

<?xml version='1.0' encoding='utf-8'?>
  <role rolename="cart-admin"/>
  <role rolename="cart-user"/>
  <user username="CN=TTSDB1,OU=CART,O=CART" password="" roles="cart-user"/>
  <user username="CN=TTSDB2,OU=CART,O=CART" password="" roles="cart-admin"/>

Certificates are imported into the browser and the browser prompts for
cert selection.

There are no security constraints on the apps web.xml.

In the servlet there is a test of httpReq.isUserInRole("cart-admin").
This always fails. Also a req.getUserPrincipal() call always returns
null. The request does not seem to be authenticated.

Further in the servlet a X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate") correctly
returns both the certificate from the browser plus the Cert Auth. A
getSubjectX500Principal().getName() call on the browser certificate
returns the cn/o/ou setting that should match with users.xml.

What am I missing here?

Dave Breeze

To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to