[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

bugzilla Thu, 24 Mar 2022 05:10:12 -0700

https://bz.apache.org/bugzilla/show_bug.cgi?id=65975


--- Comment #6 from Martin Stangl <martin.sta...@t-base.pro> ---
Hi Mark,

this did the trick. You definitely know your stuff. Thanks a lot.

I used TLS1.2 and the OpenSSL TLS implemntation and tested both
org.apache.coyote.http11.Http11NioProtocol and
org.apache.coyote.http11.Http11AprProtocol.

Both worked.

org.apache.coyote.http11.Http11NioProtocol perfectly so. Authentication and
response from Tomcat happened immediately after selecting the certificate in
the browser. Felt almost faster than delivering a static page.

org.apache.coyote.http11.Http11AprProtocol had a delay of 1 minute after
selecting the certificate in the browser. 

Tested with Chrome, Edge and Postman with identical results.

I am happy with Nio working. 
But if you want to look into the issue with
org.apache.coyote.http11.Http11AprProtocol, I am willing to support with
testing.

stderr excerpt for org.apache.coyote.http11.Http11AprProtocol with OpenSSL. 
Pauses after "Calling authenticate()":

24-Mar-2022 12:42:07.712 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Security checking
request GET /examples/jsp/security/protected/index.jsp
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.findSecurityConstraints   Checking
constraint 'SecurityConstraint[Protected Area]' against GET
/jsp/security/protected/index.jsp --> true
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
hasUserDataPermission()
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasUserDataPermission   User data
constraint already satisfied
24-Mar-2022 12:42:07.713 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
authenticate()
24-Mar-2022 12:43:07.754 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Attempting to authenticate
user [EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate Authenticating client
certificate chain
24-Mar-2022 12:43:07.755 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.authenticate  Checking validity for
'CN=T-base-CA, DC=intranet, DC=t-base, DC=pro'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.getPrincipal Got user name from X509
certificate: [EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.CombinedRealm.authenticate Authenticated user
[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] with realm
[org.apache.catalina.realm.UserDatabaseRealm]
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.register Authenticated
'EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro' with type 'CLIENT_CERT'
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Calling
accessControl()
24-Mar-2022 12:43:07.756 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission   Checking roles
GenericPrincipal[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl,
CN=Users, DC=intranet, DC=t-base, DC=pro()]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasRole Username
[EMAILADDRESS=martin.sta...@t-base.pro, CN=Martin Stangl, CN=Users,
DC=intranet, DC=t-base, DC=pro] has role [user]
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.realm.RealmBase.hasResourcePermission Role found:  user
24-Mar-2022 12:43:07.757 FINE [https-openssl-apr-443-exec-7]
org.apache.catalina.authenticator.AuthenticatorBase.invoke Successfully passed
all security constraints

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 65975] CLIENT-CERT authentication does not request cert from client and always denies access (401)

Reply via email to