Tomcat 6.0.37 can not retrieve username from LDAP

Question

I have been banging my head against the wall. I recently upgrade Tomcat from 6.0.18 to 6.0.37 to fix some vulnerabilities by security team. Everything work fine except the CAC log-in feature. These config work fine in 6.0.18 but not for 6.0.37(give HTTP500 error) When user log in with CAC, the site prompt ask for CAC certicate, after user pick their certificate, it log user in.

Basically, the site get the certificate from CAC and authenticate with LDAP to retrieve username from LDAP. The app use username to authenticate user and log use in.

It need to access to the /process.jsp in order for the username to get authenticated. However in web.xml it is set to (protected page)

Please help point me to the right direction. I'm truly appreciated.

I just don't get why it doesn't work in Tomcat 6.0.37. Is there any new config that need to set for Tomcat 6.0.37

Below is the config for Connector and JNDIRealm in server.xml file:

<Connector port="443" 
    maxHTTPHeaderSize="8192" 
    allowUnsafeLegacyRenegotiation="true" 
    protocol="org.apache.coyote.http11.Http11Protocol" 
    SSLEnabled="true" 
    enableLookups="false" 
    disableUploadTimeout="true" 
    acceptCount="200" 
    maxThreads="150" 
    scheme="https" 
    secure="true" 
    keystoreFile="C:\Tomcat 6.0\cert\xxxx.keystore" 
    keystorePass="changeit" 
    truststoreFile="D:\Sun\SDK\jdk\jre\lib\security\cacerts" 
    truststorePass="changeit" 
    clientAuth="false" 
    sslProtocol="TLS" 
    ciphers="xxxxxxxxx" 
    address="0.0.0.0"/>



<Realm className="org.apache.catalina.realm.JNDIRealm"
    connectionURL="ldap://xxx.xx.xx.xxx/" 
    alternateURL="ldap://xxx.xx.xx.xxx/" 
    connectionName="CN=xxxxxx,OU=xxxx Accounts,OU=xxxxx,DC=xxxx,DC=xxxx,DC=local" connectionPassword="MyPassword" 
    authentication="simple" 
    referrals="follow" 
    userSubtree="true" 
    userBase="OU=xxxxx,DC=xxxx,DC=dhhq,DC=local" 
    userRoleName="xxx" 
    userSearch="(altSecurityIdentities={0})" roleBase="CN=xxxxxxx,OU=xxxxxx,OU=Accounts,DC=xxxx,DC=xxxx,DC=local" roleSubtree="true" 
    roleName="cn" 
    roleSearch="(member={0})" />

web.xml security config:

    <security-constraint>
           <web-resource-collection>
                <web-resource-name>Myapp</web-resource-name>
                <url-pattern>/process.jsp</url-pattern>
           </web-resource-collection>
        <auth-constraint>
        <role-name>User</role-name>
        </auth-constraint>   
           <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
       </user-data-constraint>
       </security-constraint>   
    <login-config>
            <auth-method>CLIENT-CERT</auth-method>
            <realm-name>TOMCATLDAP</realm-name>
        </login-config>
    <security-role>
        <role-name>User</role-name>
    </security-role>

I barely have touch LDAP; could you please tell me what kind log log from LDAP (or AD) ? Thank you! — Dan, Nov 13 '13 at 15:26
Of course I can't. You haven't even told us which LDAP server you're using. — user207421, Nov 13 '13 at 22:36

score 0 · Answer 1 · answered Nov 14 '13 at 15:13

I finally find a way to get round this however it not perfect... the security-constraint from web.xml as:

<security-constraint> 
<web-resource-collection> 
<web-resource-name>Myapp</web-resource-name> 
<!--url-pattern>/process.jsp</url-pattern--> 
</web-resource-collection> 
<auth-constraint> 
<role-name>User</role-name> 
</auth-constraint> 
<user-data-constraint> 
<transport-guarantee>CONFIDENTIAL</transport-guarantee> 
</user-data-constraint> 
</security-constraint>

It protect the process.jsp page which trigger the smart card to get username from AD then process.jsp can log user in. The root cause that i had for the pas few days was process.jsp can't be access that's why the authentication die when the username can't reach process.jsp. But if I take the process.jsp out of (protected page) then smart card doesn't get trigger and no username at all.

What I did is to set the clientAuth="true" so that the smart card get trigger every time the pages on the website are access/click so that username are always return no matter if it is needed; i also remove process.jsp from so that username can reach process.jsp and do the magic to log users in. and it WORKS! The problem is now every click on the website trigger the smart card and it very annoy.

Anyone know why the protected page can not be access even the smart card authentication went through?(this is for Tomcat 6.0.37; no problem on 6.0.18, not sure it a bug or security fix... ) OR can you suggest a better work around...

Thank you! Anh

Tomcat 6.0.37 can not retrieve username from LDAP

1 Answers1