tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jerome.camill...@bull.net
Subject Réf. : RE: X509 client certificate
Date Fri, 15 Dec 2000 14:29:59 GMT
hello stefan,

I prefere having two answer than any, so thank you for you help but...
when I try with tomcat 4.0-m5 to sniffe my https request, I obtain this 
Request attributes :
Request attributes:
   filters.ExampleFilter.SERVLET_MAPPED = 
InvokerFilter(ApplicationFilterConfig[name=Servlet Mapped Filter, 
filterClass=filters.ExampleFilter])
   javax.servlet.request.key-size = 40
   filters.ExampleFilter.PATH_MAPPED = 
InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, 
filterClass=filters.ExampleFilter])
   javax.servlet.request.cipher-suite = SSL_RSA_EXPORT_WITH_RC4_40_MD5
...
Request Is Secure: true


Obviously when I try to extract the javax.servlet.request.X509Certificate 
object with this command :
(java.security.cert.X509Certificate)request.getAttribute( 
"javax.servlet.request.X509Certificate" ) I obtain an null object.

Any another idea ?

Best regards

Jérôme




Stefán F. Stefánsson <stefanf@mx1.decode.is>
14/12/00 09:58

 
        Pour :  <jerome.camilleri@bull.net>
        cc : 
        Objet : RE: X509 client certificate


woops... Seems like your mail has already been answered by Craig.

As he said... you aparantly need to upgrade to TC 4.0 m4 at least.

Regards, Stefan Freyr.

-----Original Message-----
From: jerome.camilleri@bull.net [mailto:jerome.camilleri@bull.net]
Sent: 13. desember 2000 15:30
To: Stefán F. Stefánsson
Subject: RE: X509 client certificate



Hi Stefan

I try to extract certicate to my request like you say in your mail but I
have
an exception because object return by request.getAttribute(
"javax.servlet.request.X509Certificate" )
method wasn't type of java.security.cert.X509Certificate but
[Ljava.security.cert.X509Certificate;

log file :
2000-12-13 16:21:10
StandardWrapperValve[org.apache.catalina.INVOKER.SnoopServlet]:
Servlet.service() for servlet org.apache.catalina.INVOKER.SnoopServlet
threw exception
java.lang.ClassCastException: [Ljava.security.cert.X509Certificate;
        at SnoopServlet.doGet(SnoopServlet.java:65)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:740)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
        at
org.apache.catalina.core.ApplicationFilterWrapper.doFilter(ApplicationFi
lterWrapper.java:159)
        at filters.ExampleFilter.doFilter(ExampleFilter.java:136)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:258)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:936)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:160)
        at
org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242)
        at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator
Base.java:311)
        at
org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242)
        at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja
va:152)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:934)
        at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:167
4)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:161)
        at
org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242)
        at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:343
)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:934)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:159)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:936)
        at
org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.j
ava:787)
        at
org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java:
904)
        at java.lang.Thread.run(Thread.java:484)

Very strange but are you an idea about the problem?

Config : Apache Tomcat (v4.0-m1)

Best regards

Jérôme Camilleri
Bull
France


You wrote :


Hi Alexandre.

I'm not sure I fully understand your question but let me see if I can
help you at all.

The addSecureEndpoint method of EmbededTomcat used to be just like the
one you described below.  I added the addSecureEndpoint(int port,
InetAddress addr, String hostname, String keyfile, String keypass,
boolean clientAuth) to be able to force the client to show a certificate
for logging in.

I want to answer you in a few steps, so please bear with me.

1.
Now, first of all I think you're going a little bit too long of a way
using the addSecureEndpoint.  Wouldn't it be easier for you to call the
method I described above (the addSecureEndpoint(int, InetAddress,
String, String, String, boolean)) instead of calling the original one
(the addSecureEndpoint(int, InetAddress, String, String, String)) and
changing the code in that?  The modifications to the original
addSecureEndpoint were for backwards compatability.  In other words, the
original method, addSecureEndpoint added an endpoint with no client
authentication.  I added a method that provides means for getting client
authentication by the means of client certificates, and modified the
original call to call my method with client authentication == false.
Hence, maintaining backwards compatability.  I would say you should much
rather change the code in tomcat to what it was before and call
addSecureEndpoint(int, InetAddress, String, String, String, boolean) in
EmbededTomcat directly instead.  That way you won't have to recompile
Tomcat every time you change your mind about requiring a client
certificate in your application.

2.
Now for your problem at hand ;o).  I don't know exactly how the
getUserPrincipal method in HttpServletRequest class is supposed to work
but what I got from JavaDoc was:

Returns a java.security.Principal object containing the name of the
current authenticated user. If the user has not been authenticated, the
method returns null.

And from the JavaDoc for java.security.Principal, I got:

This interface represents the abstract notion of a principal, which can
be used to represent any entity, such as an individual, a corporation,
and a login id.

Now.  You would think that Tomcat should serve up the DN of the client
certificate when a user calls request.getUserPrincipal but according to
you, it doesn't.  I don't know if there are any reasons for that
although I doubt it.  I would think this is an oversight and should
prefferably be fixed.  That shouldn't be too much trouble.  The
ServletAPI Specs are not all that clear about this issue.  I would think
that getUserPrincipal works for other types of authentication (the
username, password type).  I'll file in a bug report on this matter
after I finish this ;o)

Now for your solution.  What you can do is call the method
request.getAttribute( "javax.servlet.request.X509Certificate" ).  This
will return a java.security.cert.X509Certificate with all the
information you could possibly want (well... almost) on your client.
This include the distinguished name of the client by using
java.security.cert.X509Certificate.getSubjectDN().

I hope this helps!

Regards, Stefan.



Mime
View raw message