1

I access my application with url i.e https://myIPAddress:8443/myWebApp/

I have created the myWebApp.xml file which contains below context element and placed it under <tomcat_home>\conf\Catalina\localhost\

<Context>
 <Valve className="org.apache.catalina.authenticator.MySSLAuthenticator"/>
</Context>

MySSLAuthenticator.class is under jar file which is placed under <tomcat_home>\lib

But looks like MySSLAuthenticator is not coming into picture as i get below error where i see instance of SSLAuthenticator not MySSLAuthenticator

javax.net.ssl.SSLHandshakeException: null cert chain
    at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
    at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
    at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
    at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1631)
    at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:176)
    at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
    at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
    at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
    at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:884)
    at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
    at java.io.InputStream.read(InputStream.java:101)
    at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:181)
    at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:148)
    at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1120)
    at org.apache.coyote.Request.action(Request.java:349)
    at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:135)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)

i am not sure what is missing here? tomcat version is 6.0.35

user3198603
  • 5,528
  • 13
  • 65
  • 125

1 Answers1

1

In your question there is no mention of an associated Realm definition, potentially that is what's causing the error (null cert chain). If there is no principal associated with the request (which is unlikely if there was no previous successful authentication performed), SSLAuthenticator will invoke the authentication realm. However, in your case this Realm may not exist or it does but is misconfigured in some way and as a result SSLAuthenticator can't interpret it.

You can validate this by disabling your custom MySSLAuthenticator and make it work with the built-in SSLAuthenticator first. Once you get that working, then try extending SSLAuthenticator. Assuming that that's what you're trying to do.

It is also advisable to set logging level to debug as you may find useful info logged from the extended classes:

SSLAuthenticator and its parent class AuthenticatorBase

With regards to your class not even being recognised by tomcat, the most likely answer is that you've defined it in an application context. Tomcat valves can be associated with the Engine, Host and Context and they are invoked in that order. So the most likely answer to why tomcat never reaches your Valve is that the built-in SSLAuthenticator captures (and falls over on) the request on the Engine level. So subsequent Host and Context level processing is never reached.

chiswicked
  • 873
  • 9
  • 9