tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From cos...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/net SSLSocketFactory.java
Date Wed, 04 Oct 2000 19:55:28 GMT
costin      00/10/04 12:55:27

  Modified:    src/share/org/apache/tomcat/net Tag: tomcat_32
                        SSLSocketFactory.java
  Log:
  First patch from Stefán Freyr Stefánsson <stebbi@decode.is>
  to support mutual authentication.
  
  This is a minimal change, nothing will happen unless you set "clientAuth"
  attribute - the trustManager will be null, so the same call to init
  will happen and setNeedClientAuth will have the same false param.
  
  The code affects tomcat only if the attribute is set - I don't think it can
  add any regression.
  
  As usually, let me know if you want me to roll it back, I know it's late but
  it is very minimal change with a clear benefit.
  
  Submitted by: Stefán Freyr Stefánsson <stebbi@decode.is>
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.2.2.2   +41 -11    jakarta-tomcat/src/share/org/apache/tomcat/net/Attic/SSLSocketFactory.java
  
  Index: SSLSocketFactory.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/net/Attic/SSLSocketFactory.java,v
  retrieving revision 1.2.2.1
  retrieving revision 1.2.2.2
  diff -u -r1.2.2.1 -r1.2.2.2
  --- SSLSocketFactory.java	2000/07/25 22:20:50	1.2.2.1
  +++ SSLSocketFactory.java	2000/10/04 19:55:26	1.2.2.2
  @@ -1,8 +1,4 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/net/Attic/SSLSocketFactory.java,v
1.2.2.1 2000/07/25 22:20:50 costin Exp $
  - * $Revision: 1.2.2.1 $
  - * $Date: 2000/07/25 22:20:50 $
  - *
    * ====================================================================
    *
    * The Apache Software License, Version 1.1
  @@ -89,6 +85,7 @@
    *
    * @author Harish Prabandham
    * @author Costin Manolache
  + * @author Stefan Freyr Stefansson
    */
   public class SSLSocketFactory
       extends org.apache.tomcat.net.ServerSocketFactory
  @@ -142,6 +139,10 @@
        */
       private void initProxy() throws IOException {
   	try {
  +	    /** Should client authentication be performed?
  +	     */
  +	    clientAuth = "true".equals(attributes.get("clientAuth"));
  +
   	    /** You should have this in java.security, but
   		can't hurt to double check
   	    */
  @@ -168,13 +169,17 @@
   		com.sun.net.ssl.KeyManagerFactory.getInstance("SunX509");
   	    kmf.init( kstore, keyPass.toCharArray());
   
  -	    // XXX I don't know if this is needed
  -//  	    com.sun.net.ssl.TrustManagerFactory tmf = 
  -//  		com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
  -// 		tmf.init(kstore);
  +	    // If client authentication is needed, set up TrustManager
  +	    com.sun.net.ssl.TrustManager[] tm = null;
  +	    if( clientAuth) {
  +		com.sun.net.ssl.TrustManagerFactory tmf =
  +                    com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
  +		tmf.init(kstore);
  +		tm = tmf.getTrustManagers();
  +	    }
   
   	    // init context with the key managers
  -	    context.init(kmf.getKeyManagers(), null, null);
  +	    context.init(kmf.getKeyManagers(), tm, null);
   
   	    // create proxy
   	    sslProxy = context.getServerSocketFactory();
  @@ -197,9 +202,12 @@
   	String cipherSuites[] = socket.getSupportedCipherSuites();
   	socket.setEnabledCipherSuites(cipherSuites);
   
  +// 	if(clientAuth) {
  +// 	}
  +    
   	// we don't know if client auth is needed -
   	// after parsing the request we may re-handshake
  -	socket.setNeedClientAuth(false);
  +	socket.setNeedClientAuth(clientAuth);
       }
   
       private KeyStore initKeyStore( String keystoreFile,
  @@ -224,5 +232,27 @@
   	}
       }
   
  -    
  +    /** 3.2-specific hack - allow the socket factory to manipulate the
  +	request. This will be replaced with a clean, interceptor
  +	based mechanism in 3.3
  +    */
  +    public void preProcessRequest( Socket sslSocket,
  +				   org.apache.tomcat.core.Request reqA )
  +    {
  +	//Set the client certificate attribute if appropriate
  +	if( socket instanceof javax.net.ssl.SSLSocket ) {
  +	    javax.net.ssl.SSLSocket sslSocket = (javax.net.ssl.SSLSocket)socket;
  +	    javax.security.cert.X509Certificate[] certChain = sslSocket.
  +		getSession().getPeerCertificateChain();
  +	    
  +	    if( certChain != null && certChain.length > 0 ) {
  +		reqA.setAttribute("tomcat.request.X509CertificateChain",
  +				  certChain);
  +		reqA.setAttribute("javax.servlet.request.X509Certificate",
  +				  certChain[0]);
  +	    }
  +	    // this is a  ssl socket
  +	    reqA.setScheme( "https" );
  +	}
  +    }
   }
  
  
  

Mime
View raw message