tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject RE: Bug 19867
Date Mon, 11 Aug 2003 22:23:14 GMT
I have been looking into

and have a couple of questions.

The error seen in this report is a result of specifying CLIENT-CERT 
authentication without specifying a user-data-constraint. This causes a NPE 
because the sslSupport attribute of the http11Processor object is null.

I have looked at the servlet spec (2.3 and the draft of 2.4) and, based on the 
2.4 draft, the user-data-constraint is not mandatory (end of SRV.12.8) and the 
use of CLIENT-CERT requires SSL (SRV.12.5.4). With this in mind, my first 
question is:

1. If a user wants to use CLIENT-CERT should they have to specify a 
user-data-constraint or should tomcat automatically apply SSL to the resources 
in the web resource collection specified in the security constraint when the 
auth constraint is CLIENT-CERT? Having read the spec, I can't figure out what 
should happen.

Regardless of the answer to the above, if CLIENT-CERT is specified, 
user-data-constraint is set to CONFIDENTIAL and there are no valid certs on the 
client a number of exceptions get thrown by tomcat. This brings me to my 
remaining question:

2. Not having a matching certificate is equivalent to getting the password 
wrong. Therefore, shouldn't tomcat behave in a similar way (no exceptions, 
return a 403 to the client) rather than throwing the exceptions?

With some guidance on the above, assuming that some code changes will be 
required, I'll set about writing a patch.

Note: Although the bug is reported against 4.1.24, the same behaviour is seen 
with the latest 4.x.x and 5.x.x



View raw message