tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Gal Shachor <shac...@il.ibm.com>
Subject Re: Certificate information is not transferred by Tomcat
Date Wed, 28 Jun 2000 09:32:26 GMT

James,

You should know the difference between:
1. Standard HTTP headers (as defined in the HTTP spec) and 
2. Private *proprietary* web server's attribute and
3. Standard SSL information as defined in the Servlet APIs spec.

1)
The Servlet API specifies that servlets should be able to 
access the HTTP headers sent by the client through
HttpServletRequest.getHeaderXXX()
methods.

2) 
The Servlet API does not specify what to do with *proprietary* web
server's 
attribute. For now I am working on adding them into the ServletRequest's 
attributes table. This is not standard by any means, just good practice
to help
servlet developers integrate better with the web server!

3) 
The Servlet APIs specifies the following ways to access a *standard* SSL
information 
a. The servlet can know that it runs with SSL connection to the client
by calling the
   method ServletRequest.isSecure(). Hopefully this will work with all
servers in Tomcat3.2
   (should work in Tomcat3.2-dev).

b. The certificate should be visible to the servlet as a request
attribute named
  'javax.servlet.request.X509Certificate', whose value should be an
   array of type 'javax.security.cert.X509Certificate'. Hopefully
Tomcat3.2 will 
   be able to support this (partially) by providing the value of the
user's 
   certificate as a string on Apache and Netscape. I will try later on
to develop 
   an interceptor to parse this string into a
javax.security.cert.X509Certificate
   to keep spec compliant, but I do not promise anything.

After this introduction,
Hopefully you understand that there is no standard compliant way to get
a hold on 
internal servers variables such as CERT_ISSUER and the like. Yet, I am
working on
accessing this info through the request attributes, extract the current
Tomcat3.2-dev
and this should be there. 

As for JRUN (I am not bushing here just asking a question)
JRUN3 sends some of the server's proprietary variables in the headers!
Interesting...
Does it mean that by setting an HTTP request header named "HTTPS" (with
the 
value "on") I will be able to impersonate as SSL connection? Will I be
able to 
set CERT_ISSUER and HTTPS_KEYSIZE?

	Gal Shachor

Mime
View raw message