tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
Date Fri, 08 Oct 2004 15:11:22 GMT
Yes, it is a known problem that using the AJP/1.3 Connector isn't 
spec-complient.  The Ajp13 protocol is still stuck at Servlet v2.2, and only 
exposes one cert.

----- Original Message ----- 
From: "Jesús Luna" <j.luna@certiver.com>
To: <jfrederic.clere@fujitsu-siemens.com>
Cc: "Tomcat Developers List" <tomcat-dev@jakarta.apache.org>
Sent: Friday, October 08, 2004 1:55 AM
Subject: RE: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet


> -----Mensaje original-----
> De: jean-frederic clere [mailto:jfrederic.clere@fujitsu-siemens.com]
> Enviado el: viernes, 08 de octubre de 2004 8:28
> Para: Jesús Luna
> Asunto: Re: Problems with SSL_CLIENT_CERT_CHAIN_n from servlet
>
>
> I have not (yet) got it working but the idea to have more httpd variables
> available in the servlet sounds a needed feature.
>

I agree with you about the need for a new set of variables availables to the
servlet application (specially in the case of security!), however I've read
the "Java Servlet Specification v2.4" and it looks like the client's
certificate chain should be exposed as an attribute in a mandatory way. The
correspondent text from section SRV.4.7 "SSL Attributes" follows:
"If there is an SSL certificate associated with the request, it must be
exposed by
the servlet container to the servlet programmer as an array of objects of
type
java.security.cert.X509Certificate and accessible via a ServletRequest
attribute of javax.servlet.request.X509Certificate.
The order of this array is defined as being in ascending order of trust. The
first
certificate in the chain is the one set by the client, the next is the one
used to
authenticate the first, and so on."

So I still can't figure out why my app can't get them.

_______________________
Jesus Luna Garcia
CertiVeR (EU Funded Project)
j.luna@certiver.com
http://www.certiver.com


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org




Mime
View raw message