After migrating to tomcat8, could no longer do client certificate login with the following error SEVERE: Unexpected error javax.security.auth.login.LoginException: No LoginModules configured for *yourServiceName* at javax.security.auth.login.LoginContext.init(LoginContext.java:264) at javax.security.auth.login.LoginContext.<init>(LoginContext.java:512) at org.apache.catalina.realm.JAASRealm.authenticate(JAASRealm.java:395) at org.apache.catalina.realm.JAASRealm.getPrincipal(JAASRealm.java:491) at org.apache.catalina.realm.RealmBase.getPrincipal(RealmBase.java:1252) at org.apache.catalina.realm.RealmBase.authenticate(RealmBase.java:450) at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:581) It turns out that while the entire service has clientAuth="true" in the web.xml the url-pattern-based <security-constraint> ... <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> ... war ignored in tomcat 7, with tomcat 8, it produced the above error. ==> suggestion: amend the LoginException with a hint on web.xml and "login-config" element
This happened because the JAASRealm was used as the default if no other Realm was identified. The reference to LoginModules would make sense to a user who had explicitly configured the JAASRealm but in this instance it was more of a hindrance than a help. All currently supported versions of Tomcat use the NullRealm rather than the JAASRealm as the default Realm (and have done for a number of years) so this issue should no longer occur.