tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: How to make CLIENT-CERT protection work?
Date Thu, 16 Oct 2003 18:53:04 GMT

----- Original Message -----
From: "Jan Luehe" <Jan.Luehe@Sun.COM>
To: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Wednesday, October 15, 2003 6:38 PM
Subject: How to make CLIENT-CERT protection work?


> Consider the following scenario:
>
> 1. Client sends POST request (with content type other than
>     "application/x-www-form-urlencoded") to SSL-enabled server (with
>     client auth turned off).
>
> 2. Server parses request header, and determines that the resource
>     identified by the request-URI is CLIENT-CERT protected.
>
> 3. Server's SSLAuthenticator valve reinitiates SSL handshake, w/
>     client auth turned on.
>
> 4. The server sends its HelloRequest, and expects to read the client's
>     ClientHello. However, what it gets is the POST request's body which
>     hadn't been read yet.
>
> 5. SSL handshake fails.
>
>
> In order to avoid this problem, SSLAuthenticator.authenticate()
> "clears" the socket in the case of a POST request by reading the POST
> request's body *before* reinitiating the handshake. To read the POST
> body, it calls CoyoteRequest.getParameterMap(), which reads and
> processes the POST body only if the content type equals
> "application/x-www-form-urlencoded".
>
> Therefore, the SSL re-handshake works according to plan if the content
> type equals "application/x-www-form-urlencoded", but fails for any
> other content type.
>
> Should we always read the POST body in getParameterMap(), and cache it
> in a byte[] if content type is different from
> "application/x-www-form-urlencoded", and have
> CoyoteRequest.getInputStream()/getReader() return wrappers around this
> byte[]?
>
> Any better suggestions?

It would probably be better to remove the POST check from SSLAuthenticator,
and move it to Http11Processor.action.  Then when it is processing
ACTION_REQ_SSL_CERTIFICATE, it simply need to add a new InputFilter (say,
BufferedInputFilter) that does a full read of the Request data.

>
> Thanks,
>
>
> Jan
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>


Mime
View raw message