https://bz.apache.org/bugzilla/show_bug.cgi?id=65975
Bug ID: 65975
Summary: CLIENT-CERT authentication does not request cert from
client and always denies access (401)
Product: Tomcat 9
Version: 9.0.60
Hardware: PC
Status: NEW
Severity: normal
Priority: P2
Component: Connectors
Assignee: dev@tomcat.apache.org
Reporter: martin.sta...@t-base.pro
Target Milestone: -----
Created attachment 38232
--> https://bz.apache.org/bugzilla/attachment.cgi?id=38232&action=edit
ZIP file containing the adjusted default config as mentioned in the description
According to the documentation
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig,
setting certificateVerification="none" should behave as follows: "A none value
(which is the default) will not require a certificate chain unless the client
requests a resource protected by a security constraint that uses CLIENT-CERT
authentication."
The problem encountered is that a resource protected by a security constraint
that uses CLIENT-CERT authentication does not cause Tomcat to request a
certificate chain. As a result all access is denied.
Reproduced in Apache Tomcat versions 9.0.60 and 8.5.77
Tested Java versions: OpenJDK Runtime Environment (build 17.0.2+8-86) Tomcat
9.0.60 and 8.5.77, Zulu 8.56.0.23-CA-win64 (build 1.8.0_302-b08) on Tomcat
9.0.60
Tested Tomcat Connector on Tomcat 9.0.60:
- org.apache.coyote.http11.Http11NioProtocol - JSSE
- org.apache.coyote.http11.Http11AprProtocol, UpgradeProtocol
org.apache.coyote.http2.Http2Protocol - JSSE and OpenSSL
Tested Tomcat Connector on Tomcat 8.5.77:
- org.apache.coyote.http11.Http11NioProtocol - JSSE
catalina.log excerpt of a failed authentication:
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.271 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.277 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations
Loading persistent provider registrations from [C:\Program Files\Apache
Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml]
23-Mar-2022 21:15:11.282 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission User data
constraint already satisfied
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
23-Mar-2022 21:15:11.284 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test
How to reproduce:
1. For changes made to the default condifuration see attachments:
- conf/server.xml: Connector port 8080 disabled, connector port 443 with SSL
configuration enabled and adjusted
- conf/tomcat-users.xml: Role "user" and one user added
- webapps/examples/WEB-INF/web.xml: Changed security-constraint, login-config
and security-role for CLIENT-CERT authentication
2. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser
This should result in "HTTP Status 401 – Unautorisiert"
To check if the configuration works otherwhise:
1. Change certificateVerification to "required" in conf/server.xml
2. Restart Tomcat
3. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser
This should return the example webpage showing the authenticated user.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
