I tried to config my webapp to authenticate user by CLIENT-CERT auth method. I verified my JAAS LoginModule by using "BASIC" to auth method and successfully authenticated user login. After studying Tomcat 5.5.20 source, I found that the problem is caused by the RealmBase.java and JAASRealm.java. if CLIENT-CERT auth method is used, SSLAuthenticator will call the : JAASRealm.authenticate(X509Certificate certs[]) As JAASRealm didn't override authenticate(X509Certificate certs[]), RealmBase's authenticate will be used and it will only validate the certs and then call getPrincipal(X509Certificate) and then getPrincipal(String) is being called to get the Principal. However, in JAASRealm, this function always return null. That means Tomcat can't use JAASRealm with CLIENT-CERT auth method. Thanks Butler
You try to do authorization with client certs? I'm afraid this is not implemented tomcat's JAASRealm. I am sure it is possible to create an extended JAASRealm2 which is able to provide full JAAS functionality with client certs also. The way to do it could be: 1. Implement authenticate(X509Certificate certs[]) just like the user/pwd-authenticate in JAASrealm. 2. Add an appropriate CallbackHandler for the cert chain to pass the certificates to the custom LoginModule. The custom authorization stuff has to go to the LoginModule so the new JAASRealm2 should be finished. Please let me know if you plan to implement it.
This has been fixed in trunk and proposed for 5.5.x and 6.0.x
This has been committed for 6.0.x and will be in 6.0.19 onwards.
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.