[Pki-devel] Revocation investigation with Shared Tomcat instance
Endi Sukma Dewata
edewata at redhat.com
Tue Oct 21 18:44:11 UTC 2014
On 10/21/2014 12:47 PM, John Magne wrote:
> Questions:
>
> 1. edewata, alee, do you guys know of something that might have changed to have caused this.
Here's the change history of the file:
git log --follow
base/server/cmscore/src/com/netscape/cmscore/authentication/CertUserDBAuthentication.java
We did some cleanups, but I don't think we changed the functionality.
> 2. auths.instance.AgentCertAuth.pluginName=AgentCertAuth setting no longer has an effect because the PKIRealm appears to be
> hardcoding the authentication manager to be the above "CertUserDBAuthentication"manager. This is perhaps a side point but worth
> asking about?
On Tomcat the smallest scope that a realm can be configured is at
Context level, so each web application (i.e. subsystem) can only have
one realm. See
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#Configuring_a_Realm).
Also, Realm only has limited interface:
- authenticate(username, password)
- authenticate(certs)
See
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/Realm.html.
So there's no way for a realm to know which URL path or servlet the
client is trying to access. Authentication has to be based on the above
parameters only, so that's why the auth manager needs to be hard-coded.
The Realm is only used by the CLI/REST services. It doesn't affect the
auth mechanisms used by the existing servlets. Is there any need to use
other auth managers with REST services?
> 3. Looking for opinions upon how to deal with this? It may be a case of simply biting the bullet and figuring out why our code
> no longer works and filing and completing a ticket for this.
I believe the issue was originally filed for CLI, which always uses the
CertUserDBAuthentication. So I think we should focus the investigation
there.
I'm not familiar with the other auth managers, so I don't know whether
they are relevant for CLI.
> I have not tested the other non CA subs but I am pretty sure the problem will surface there as well.
>
> thanks,
> jack
--
Endi S. Dewata
More information about the Pki-devel
mailing list