List,
I have actually searched extensively on this topic and either a) I don't know how to configure something and/or b) I don't quite understand what a JNDI Realm actually is supposed to do. I am using Tomcat 7.0.32 with jdk 1.7.0_15.
Here is what I want to do. I work with customers that use PKI User Certificates. The user certificates have a cn like "Joe Smith". What I need to be able to do is look up this CN in LDAP and get the users id, which may be something like "jsmith23", and populate the Principal user in the request header. The reason for this is I have an application deployed in Tomcat that specifically makes a call for getRemoteUser() and this id (e.g. "jsmith23") must be populated correctly. This application is sort of like a web adaptor for another third party tool, which consequently checks LDAP again. However, it must be this userid.
I have tried many things, but I can't seem to get past the LDAP lookup. In my server.xml, it looks like the following:
<Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="c:/tomcat7/pki/keystore.jks" keystorePass="changeit"
truststoreFile="c:/tomcat7/pki/cacerts.jks" truststorePass="changeit" />
<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99"
connectionURL="ldap://servername:3268"
allRolesMode="authOnly"
connectionName="cn=DC Services,OU=Generic,OU=Users,OU=Managed Objects,DC=domain,DC=com"
connectionPassword="mypassword"
userBase="DC=domain,DC=com"
userSubtree="true"
userSearch="cn={0}"
userRoleName="memberOf" />
The web.xml file for my application looks like the following:
<security-constraint>
<web-resource-collection>
<web-resource-name>ArcGIS Web Adapter</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>ArcGIS Web Adapter</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
<welcome-file-list>
<welcome-file>index.jsp</welcome-file>
</welcome-file-list>
The problem I have is I keep getting this error, no matter what I try:
message Cannot authenticate with the provided credentials description This request requires HTTP authentication.
It prompts me for my certificate, so I know that gets through. The localhost log file shows:
FINE: Realm.authenticate() returned false
However, I know I am connecting properly, because if I change the password, I can't hit the site at all.
I guess one of my questions is what is the result of the JNDI realm setup. If it looks up a username's CN in LDAP, then what? Is that suppose to provide the authentication necessary to proceed to my web application? If I change everything to BASIC and use a username/pwd for authentication, it works perfectly. But using CLIENT-CERT and using the LDAP lookup, I just can't seem to achieve what I need to.
I need a process that looks up a user's id based on their certificate CN and then populates the Principal user in the http request so that a later call to getTemoteUser() works correctly.
Any help would be appreciated.
Problem is the org.apache.catalina.realm.JNDIRealm requires a username and password. When authenticating with CLIENT-CERT, the org.apache.catalina.realm.RealmBase is able to use the DN from the certificate for the username, but is not able to get the password which is required by the JNDIRealm.
Hi I have a set up that work in Tomcat 6.0.18 however it has similar issue on Tomcat 6.0.37 as you have . Check my post here Tomcat 6.0.37 can not retrieve username from LDAP to compare your config. hope that help. Please let me know if that work on your Tomcat version...
来源:https://stackoverflow.com/questions/16639382/how-to-configure-jndi-realm-with-tomcat-7-for-pki-user-certificate-authenticatio