tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net JSSESocketFactory.java
Date Sat, 21 Sep 2002 09:27:13 GMT
Qingqing Ouyang wrote:
> Hi, Bill:
> 
> Thanx for the comments.  Please see the following.
> 
> 
>>> Can someone start the Tomcat server with clientAuth=false, but access
>>> a URI that is protected by CLIENT-CERT?  If yes, then I think a
>>> re-handshake is a must.
>>
>>
>>
>> But using CertificatesValve to accomplish this is the wrong way to do it.
>> Catalina has no good reason to know or care what transport the request 
>> was
>> received on.  It's the connector's job to take care of that.
>>
>> It looks like we may need another Action to handle this case (probably
>> invoked by the Realm).  Comments?
> 
> 
> Okay, that is where my ignorance kicks in. ;-)
> 
> I agree that Catalina does not have to know/care about what
> transport the request is received on.  The logical place for
> this to happen is somewhere:
> 
> 1. Tomcat has enough information to determine the incoming
>    request is intended for a Context that requires the
>    client-cert authentication
> 
> 2. Tomcat also has to have the handle on the specific
>    transport mechanism to force this second handshake with
>    the client.
> 
> 3. The certificate information also has to be populated with
>    the Request object for further authorization calls...

We can have the current certificate valve send an action to the Coyote 
layer, which would then update the appropriate attributes.
I think some new method is needed in SSLSupport.

Remy


--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message