Reputation: 5816
Valve configuration not working in tomcat?
I access my application with url i.e https://myIPAddress:8443/myWebApp/
I have created the myWebApp.xml file which contains below context element and placed it under <tomcat_home>\conf\Catalina\localhost\
<Context>
<Valve className="org.apache.catalina.authenticator.MySSLAuthenticator"/>
</Context>
MySSLAuthenticator.class is under jar file which is placed under <tomcat_home>\lib
But looks like MySSLAuthenticator is not coming into picture as i get below error where i see instance of SSLAuthenticator not MySSLAuthenticator
javax.net.ssl.SSLHandshakeException: null cert chain
at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
at sun.security.ssl.SSLSocketImpl.fatal(SSLSocketImpl.java:1884)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:276)
at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:266)
at sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1631)
at sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:176)
at sun.security.ssl.Handshaker.processLoop(Handshaker.java:868)
at sun.security.ssl.Handshaker.process_record(Handshaker.java:804)
at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1016)
at sun.security.ssl.SSLSocketImpl.readDataRecord(SSLSocketImpl.java:884)
at sun.security.ssl.AppInputStream.read(AppInputStream.java:102)
at java.io.InputStream.read(InputStream.java:101)
at org.apache.tomcat.util.net.jsse.JSSESupport.handShake(JSSESupport.java:181)
at org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupport.java:148)
at org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1120)
at org.apache.coyote.Request.action(Request.java:349)
at org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAuthenticator.java:135)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:528)
i am not sure what is missing here? tomcat version is 6.0.35
Upvotes: 1
Views: 1058
Answers (1)
Reputation: 873
In your question there is no mention of an associated Realm definition, potentially that is what's causing the error (null cert chain). If there is no principal associated with the request (which is unlikely if there was no previous successful authentication performed), SSLAuthenticator will invoke the authentication realm. However, in your case this Realm may not exist or it does but is misconfigured in some way and as a result SSLAuthenticator can't interpret it.
You can validate this by disabling your custom MySSLAuthenticator and make it work with the built-in SSLAuthenticator first. Once you get that working, then try extending SSLAuthenticator. Assuming that that's what you're trying to do.
It is also advisable to set logging level to debug as you may find useful info logged from the extended classes:
SSLAuthenticator and its parent class AuthenticatorBase
With regards to your class not even being recognised by tomcat, the most likely answer is that you've defined it in an application context. Tomcat valves can be associated with the Engine, Host and Context and they are invoked in that order. So the most likely answer to why tomcat never reaches your Valve is that the built-in SSLAuthenticator captures (and falls over on) the request on the Engine level. So subsequent Host and Context level processing is never reached.
Upvotes: 1
Related Questions
- How to configure Tomcat SSLHostConfig correctly?
- What is wrong with the way I configured SSL in tomcat?
- Tomcat 9: valve redirection of http to https only works for base URL?
- How to add Valve to Apache Tomcat
- Why is my tomcat valve not being invoked?
- SSL Tomcat Configuration
- ssl tomcat certificate error
- Tomcat Valve settings
- Configuring SSL with tomcat
- Setting up tomcat + ssl failed.. cannot connect to SSL channel?