Bug 41407 - CLIENT-CERT Authentication with JAASRealm not working
CLIENT-CERT Authentication with JAASRealm not working
Status: RESOLVED FIXED
Product: Tomcat 5
Classification: Unclassified
Component: Catalina
5.5.20
All All
: P2 normal with 1 vote (vote)
: ---
Assigned To: Tomcat Developers Mailing List
:
Depends on:
Blocks:
  Show dependency tree
 
Reported: 2007-01-18 18:33 UTC by Butler
Modified: 2009-03-22 10:03 UTC (History)
1 user (show)



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Butler 2007-01-18 18:33:49 UTC
I tried to config my webapp to authenticate user by CLIENT-CERT auth method.

I verified my JAAS LoginModule by using "BASIC" to auth method and successfully 
authenticated user login.

After studying Tomcat 5.5.20 source, I found that the problem is caused by the 
RealmBase.java and JAASRealm.java.

if CLIENT-CERT auth method is used, SSLAuthenticator will call the :

  JAASRealm.authenticate(X509Certificate certs[])

As JAASRealm didn't override authenticate(X509Certificate certs[]), RealmBase's 
authenticate will be used and it will only validate the certs and then call
getPrincipal(X509Certificate) and then getPrincipal(String) is being called to 
get the Principal. However, in JAASRealm, this function always return null.

That means Tomcat can't use JAASRealm with CLIENT-CERT auth method.

Thanks
Butler
Comment 1 rm 2007-01-19 05:37:17 UTC
You try to do authorization with client certs?
I'm afraid this is not implemented tomcat's JAASRealm.

I am sure it is possible to create an extended JAASRealm2 which is
able to provide full JAAS functionality with client certs also.
The way to do it could be:
1. Implement authenticate(X509Certificate certs[]) just like
   the user/pwd-authenticate in JAASrealm.
2. Add an appropriate CallbackHandler for the cert chain
   to pass the certificates to the custom LoginModule.

The custom authorization stuff has to go to the LoginModule
so the new JAASRealm2 should be finished.

Please let me know if you plan to implement it.
Comment 2 Mark Thomas 2008-08-09 07:36:19 UTC
This has been fixed in trunk and proposed for 5.5.x and 6.0.x
Comment 3 Mark Thomas 2008-09-06 13:02:03 UTC
This has been committed for 6.0.x and will be in 6.0.19 onwards.
Comment 4 Mark Thomas 2009-03-22 10:03:44 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.