[Bug 65975] New: CLIENT-CERT authentication does not request cert from client and always denies access (401)

Wed, 23 Mar 2022 14:09:07 -0700 

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975

            Bug ID: 65975
           Summary: CLIENT-CERT authentication does not request cert from
                    client and always denies access (401)
           Product: Tomcat 9
           Version: 9.0.60
          Hardware: PC
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Connectors
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: -----

Created attachment 38232
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=38232&action=edit
ZIP file containing the adjusted default config as mentioned in the description

According to the documentation
https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support_-_SSLHostConfig,
setting certificateVerification="none" should behave as follows: "A none value
(which is the default) will not require a certificate chain unless the client
requests a resource protected by a security constraint that uses CLIENT-CERT
authentication."

The problem encountered is that a resource protected by a security constraint
that uses CLIENT-CERT authentication does not cause Tomcat to request a
certificate chain. As a result all access is denied.

Reproduced in Apache Tomcat versions 9.0.60 and 8.5.77

Tested Java versions: OpenJDK Runtime Environment (build 17.0.2+8-86) Tomcat
9.0.60 and 8.5.77, Zulu 8.56.0.23-CA-win64 (build 1.8.0_302-b08) on Tomcat
9.0.60

Tested Tomcat Connector on Tomcat 9.0.60:
- org.apache.coyote.http11.Http11NioProtocol - JSSE
- org.apache.coyote.http11.Http11AprProtocol, UpgradeProtocol
org.apache.coyote.http2.Http2Protocol - JSSE and OpenSSL
Tested Tomcat Connector on Tomcat 8.5.77:
- org.apache.coyote.http11.Http11NioProtocol - JSSE

catalina.log excerpt of a failed authentication:
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
23-Mar-2022 21:15:11.270 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.271 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
23-Mar-2022 21:15:11.277 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.jaspic.AuthConfigFactoryImpl.loadPersistentRegistrations
Loading persistent provider registrations from [C:\Program Files\Apache
Software Foundation\Tomcat 9.0\conf\jaspic-providers.xml]
23-Mar-2022 21:15:11.282 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
23-Mar-2022 21:15:11.283 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
23-Mar-2022 21:15:11.284 FINE [https-openssl-apr-443-exec-2]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Failed
authenticate() test

How to reproduce:

1. For changes made to the default condifuration see attachments:
- conf/server.xml: Connector port 8080 disabled, connector port 443 with SSL
configuration enabled and adjusted
- conf/tomcat-users.xml: Role "user" and one user added
- webapps/examples/WEB-INF/web.xml: Changed security-constraint, login-config
and security-role for CLIENT-CERT authentication

2. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser

This should result in "HTTP Status 401 – Unautorisiert"

To check if the configuration works otherwhise:
1. Change certificateVerification to "required" in conf/server.xml
2. Restart Tomcat
3. Open https://<hostname>/examples/jsp/security/protected/index.jsp in a
browser
This should return the example webpage showing the authenticated user.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to