Bug 41407 - CLIENT-CERT Authentication with JAASRealm not working
Summary: CLIENT-CERT Authentication with JAASRealm not working
Alias: None
Product: Tomcat 5
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 5.5.20
Hardware: All All
: P2 normal with 1 vote (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2007-01-18 18:33 UTC by Butler
Modified: 2009-03-22 10:03 UTC (History)
1 user (show)


Note You need to log in before you can comment on or make changes to this bug.
Description Butler 2007-01-18 18:33:49 UTC
I tried to config my webapp to authenticate user by CLIENT-CERT auth method.

I verified my JAAS LoginModule by using "BASIC" to auth method and successfully 
authenticated user login.

After studying Tomcat 5.5.20 source, I found that the problem is caused by the 
RealmBase.java and JAASRealm.java.

if CLIENT-CERT auth method is used, SSLAuthenticator will call the :

  JAASRealm.authenticate(X509Certificate certs[])

As JAASRealm didn't override authenticate(X509Certificate certs[]), RealmBase's 
authenticate will be used and it will only validate the certs and then call
getPrincipal(X509Certificate) and then getPrincipal(String) is being called to 
get the Principal. However, in JAASRealm, this function always return null.

That means Tomcat can't use JAASRealm with CLIENT-CERT auth method.

Comment 1 rm 2007-01-19 05:37:17 UTC
You try to do authorization with client certs?
I'm afraid this is not implemented tomcat's JAASRealm.

I am sure it is possible to create an extended JAASRealm2 which is
able to provide full JAAS functionality with client certs also.
The way to do it could be:
1. Implement authenticate(X509Certificate certs[]) just like
   the user/pwd-authenticate in JAASrealm.
2. Add an appropriate CallbackHandler for the cert chain
   to pass the certificates to the custom LoginModule.

The custom authorization stuff has to go to the LoginModule
so the new JAASRealm2 should be finished.

Please let me know if you plan to implement it.
Comment 2 Mark Thomas 2008-08-09 07:36:19 UTC
This has been fixed in trunk and proposed for 5.5.x and 6.0.x
Comment 3 Mark Thomas 2008-09-06 13:02:03 UTC
This has been committed for 6.0.x and will be in 6.0.19 onwards.
Comment 4 Mark Thomas 2009-03-22 10:03:44 UTC
This has been fixed in 5.5.x and will be included in 5.5.28 onwards.