如何使用Tomcat 7配置JNDI Realm进行PKI用户证书认证? [英] How to configure JNDI Realm with Tomcat 7 for PKI User Certificate Authentication?

问题描述

列表

我实际上已经对该主题进行了广泛的搜索，或者a)我不知道如何配置某些东西和/或b)我不太了解JNDI Realm实际上应该做什么.我将jdk 1.7.0_15与Tomcat 7.0.32结合使用.

I have actually searched extensively on this topic and either a) I don't know how to configure something and/or b) I don't quite understand what a JNDI Realm actually is supposed to do. I am using Tomcat 7.0.32 with jdk 1.7.0_15.

这就是我想要做的.我与使用PKI用户证书的客户合作.用户证书具有一个类似"Joe Smith"的cn.我需要做的是在LDAP中查找此CN并获取用户ID(可能类似于"jsmith23")，然后在请求标头中填充Principal用户.原因是我在Tomcat中部署了一个应用程序，该应用程序专门调用getRemoteUser()，并且必须正确填充此ID(例如"jsmith23").此应用程序有点像另一个第三方工具的Web适配器，因此会再次检查LDAP.但是，它必须是此用户标识.

Here is what I want to do. I work with customers that use PKI User Certificates. The user certificates have a cn like "Joe Smith". What I need to be able to do is look up this CN in LDAP and get the users id, which may be something like "jsmith23", and populate the Principal user in the request header. The reason for this is I have an application deployed in Tomcat that specifically makes a call for getRemoteUser() and this id (e.g. "jsmith23") must be populated correctly. This application is sort of like a web adaptor for another third party tool, which consequently checks LDAP again. However, it must be this userid.

我尝试了很多事情，但是似乎无法通过LDAP查找.在我的server.xml中，它如下所示:

I have tried many things, but I can't seem to get past the LDAP lookup. In my server.xml, it looks like the following:

     <Connector port="443" protocol="org.apache.coyote.http11.Http11Protocol" SSLEnabled="true"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="true" sslProtocol="TLS"
                   keystoreFile="c:/tomcat7/pki/keystore.jks" keystorePass="changeit"
                   truststoreFile="c:/tomcat7/pki/cacerts.jks" truststorePass="changeit" />

<Realm className="org.apache.catalina.realm.JNDIRealm" debug="99" 
                connectionURL="ldap://servername:3268"
                allRolesMode="authOnly" 
                connectionName="cn=DC Services,OU=Generic,OU=Users,OU=Managed Objects,DC=domain,DC=com" 
                connectionPassword="mypassword" 
                userBase="DC=domain,DC=com" 
                userSubtree="true" 
                userSearch="cn={0}" 
                userRoleName="memberOf" />

我的应用程序的web.xml文件如下所示:

The web.xml file for my application looks like the following:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>ArcGIS Web Adapter</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>*</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
    <realm-name>ArcGIS Web Adapter</realm-name>
</login-config>
<security-role>
    <role-name>*</role-name>
</security-role>
<welcome-file-list>
    <welcome-file>index.jsp</welcome-file>
</welcome-file-list>

我遇到的问题是，无论尝试什么，我都会不断收到此错误:

The problem I have is I keep getting this error, no matter what I try:

消息无法使用提供的凭据进行身份验证 说明此请求需要HTTP身份验证.

message Cannot authenticate with the provided credentials description This request requires HTTP authentication.

它提示我输入证书，所以我知道通过了.本地主机日志文件显示:

It prompts me for my certificate, so I know that gets through. The localhost log file shows:

好:Realm.authenticate()返回false

FINE: Realm.authenticate() returned false

但是，我知道我的连接正确，因为如果更改密码，根本无法访问该网站.

However, I know I am connecting properly, because if I change the password, I can't hit the site at all.

我想我的问题之一是JNDI领域设置的结果.如果它在LDAP中查找用户名的CN，那该怎么办?那是否提供了进行我的Web应用程序所必需的身份验证?如果我将所有内容都更改为BASIC并使用用户名/pwd进行身份验证，则可以完美运行.但是，使用CLIENT-CERT和LDAP查找，我似乎无法实现我所需要的.

I guess one of my questions is what is the result of the JNDI realm setup. If it looks up a username's CN in LDAP, then what? Is that suppose to provide the authentication necessary to proceed to my web application? If I change everything to BASIC and use a username/pwd for authentication, it works perfectly. But using CLIENT-CERT and using the LDAP lookup, I just can't seem to achieve what I need to.

我需要一个过程，该过程根据用户的证书CN查找用户的ID，然后在http请求中填充Principal用户，以便以后对getTemoteUser()的调用正确进行.

I need a process that looks up a user's id based on their certificate CN and then populates the Principal user in the http request so that a later call to getTemoteUser() works correctly.

任何帮助将不胜感激.

推荐答案

问题是org.apache.catalina.realm.JNDIRealm需要用户名和密码.在使用CLIENT-CERT进行身份验证时，org.apache.catalina.realm.RealmBase可以使用证书中的DN作为用户名，但不能获取JNDIRealm所需的密码.

Problem is the org.apache.catalina.realm.JNDIRealm requires a username and password. When authenticating with CLIENT-CERT, the org.apache.catalina.realm.RealmBase is able to use the DN from the certificate for the username, but is not able to get the password which is required by the JNDIRealm.

这篇关于如何使用Tomcat 7配置JNDI Realm进行PKI用户证书认证?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！