tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefán F. Stefánsson <>
Subject RE: X509 client certificate
Date Mon, 04 Dec 2000 09:53:58 GMT
Hi Alexandre.

I'm not sure I fully understand your question but let me see if I can
help you at all.

The addSecureEndpoint method of EmbededTomcat used to be just like the
one you described below.  I added the addSecureEndpoint(int port,
InetAddress addr, String hostname, String keyfile, String keypass,
boolean clientAuth) to be able to force the client to show a certificate
for logging in.

I want to answer you in a few steps, so please bear with me.

Now, first of all I think you're going a little bit too long of a way
using the addSecureEndpoint.  Wouldn't it be easier for you to call the
method I described above (the addSecureEndpoint(int, InetAddress,
String, String, String, boolean)) instead of calling the original one
(the addSecureEndpoint(int, InetAddress, String, String, String)) and
changing the code in that?  The modifications to the original
addSecureEndpoint were for backwards compatability.  In other words, the
original method, addSecureEndpoint added an endpoint with no client
authentication.  I added a method that provides means for getting client
authentication by the means of client certificates, and modified the
original call to call my method with client authentication == false.
Hence, maintaining backwards compatability.  I would say you should much
rather change the code in tomcat to what it was before and call
addSecureEndpoint(int, InetAddress, String, String, String, boolean) in
EmbededTomcat directly instead.  That way you won't have to recompile
Tomcat every time you change your mind about requiring a client
certificate in your application.

Now for your problem at hand ;o).  I don't know exactly how the
getUserPrincipal method in HttpServletRequest class is supposed to work
but what I got from JavaDoc was:

Returns a object containing the name of the
current authenticated user. If the user has not been authenticated, the
method returns null.

And from the JavaDoc for, I got:

This interface represents the abstract notion of a principal, which can
be used to represent any entity, such as an individual, a corporation,
and a login id.

Now.  You would think that Tomcat should serve up the DN of the client
certificate when a user calls request.getUserPrincipal but according to
you, it doesn't.  I don't know if there are any reasons for that
although I doubt it.  I would think this is an oversight and should
prefferably be fixed.  That shouldn't be too much trouble.  The
ServletAPI Specs are not all that clear about this issue.  I would think
that getUserPrincipal works for other types of authentication (the
username, password type).  I'll file in a bug report on this matter
after I finish this ;o)

Now for your solution.  What you can do is call the method
request.getAttribute( "javax.servlet.request.X509Certificate" ).  This
will return a with all the
information you could possibly want (well... almost) on your client.
This include the distinguished name of the client by using

I hope this helps!

Regards, Stefan.

-----Original Message-----
From: Alexandre A. Drummond Barroso
Sent: 3. desember 2000 00:16
Subject: X509 client certificate

I tried to make Tomcat
changing the following parameter of addSecureEndpoint in

    public void addSecureEndpoint( int port, InetAddress addr, String
                                    String keyFile, String keyPass )
        addSecureEndpoint(port, addr, hostname, keyFile, keyPass,
to true, but when I called request.getUserPrincipal() it just returned
null. Is there any problem with addSecureEndpoint
implementation or in some method it calls?



View raw message