Java Mailing List Archive

http://www.junlu.com/

Home » Home (12/2007) » Apache Tomcat »

CLIENT-CERT Authentication & JAASRealm not working

Butler

2007-01-17


Hi All,

I tried to config my webapp to authenticate user by CLIENT-CERT auth method.
my 1st test is using UserDatabaseRealm and add the client cert DN to
tomcat-user.xml. everything works great. However, when I tried to use
JAASRealm, it fail even my custom LoginModule always return true for
any username.

To verify my LoginModule, I tried to use "BASIC" to auth user. my
LoginModule is being called and successfully authenticate any input.

After studying Tomcat 5.5.20 source, I found that the problem is
caused by the RealmBase.java and JAASRealm.java.

In RealmBase, if CLIENT-CERT, SSLAuthenticator will call the :

  public Principal authenticate(X509Certificate certs[]);

and it will only validate the certs and then call
getPrincipal(certs[0]) to get the Principal. However, in JAASRealm, it
didn't override this function and the getPrincipal function always
return null.


For my case, I can't use other type of Realm coz' I only have the CA's
DN is known. I can't insert all user cert's DN to tomcat-user.xml
before server start. Is there any suggestion how to implements
CLIENT_CERT authentication without knowing client cert's DN?

Thanks
Butler



In server.xml :
  <Connector port="8443" maxHttpHeaderSize="8192"
         maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
         enableLookups="false" disableUploadTimeout="true"
         acceptCount="100" scheme="https" secure="true" debug="99"
         clientAuth="want" sslProtocol="TLS"
         keystoreFile="conf/server.ks"
         truststoreFile="conf/trust.ks"
         />


   <Realm className="org.apache.catalina.realm.JAASRealm"
        appName="Tomcat"
        userClassNames="test.UserPrincipal"
        roleClassNames="test.RolePrincipal"
        useContextClassLoader="false"
        />


in web.xml :

  <security-role>
    <role-name>cert</role-name>
  </security-role>

  <security-constraint>
    <web-resource-collection>
       <web-resource-name>Test</web-resource-name>
       <url-pattern>/test/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
       <role-name>cert</role-name>
    </auth-constraint>
    <user-data-constraint>
       <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>

  <login-config>
   <auth-method>CLIENT-CERT</auth-method>
  </login-config>

---------------------------------------------------------------------
To start a new topic, e-mail: users@(protected)
To unsubscribe, e-mail: users-unsubscribe@(protected)
For additional commands, e-mail: users-help@(protected)

©2008 junlu.com - Jax Systems, LLC, U.S.A.