tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 34643] - document how to use certificate-based "clientAuth" on a per user or per session basis
Date Wed, 27 Apr 2005 19:38:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=34643>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=34643


william.barker@wilshire.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|william.barker@wilshire.com |




------- Additional Comments From william.barker@wilshire.com  2005-04-27 21:37 -------
(In reply to comment #0)
> Interim results of my own little research:
> - if I request org.apache.catalina.Globals.SSL_CERTIFICATE_ATTR,
> org.apache.coyote.tomcat4.CoyoteRequest.getAttribute triggers the
> org.apache.coyote.ActionCode.ACTION_REQ_SSL_CERTIFICATE re-handshake

This works in 4.1 & 5.0, but has been removed from 5.5.  You would need your 
own custom Valve to do this in 5.5.

> Open issues I haven't mastered so far:
> 1) If the application allows for self-signed certificates the user uploads 
into
> the DB i.e. her profile, is there a way to use a non-global trustStore to
> validate? Otherwise, with an increasing user-basis, I foresee scalability
> problems if I had to import all such certificates into a global trust store?

You probably want an LDAP-based trustStore (e.g. 
java.security.cert.LDAPCertStoreParameters).  Not hard to implement (at least 
for JDK 1.5), but so far there hasn't been much demand for it.

> 2) javax.net.ssl.SSLServerSocket.setNeedClientAuth in
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.configureClientAuth 
might be
> the basis for an alternative approach, but I wouldn't know how to set that 
(or
> probably rather
> org.apache.tomcat.util.net.ServerSocketFactory.setAttribute("clientAuth", 
true)
> before the org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket has
> already occurred?

This is where the clientAuth attribute on the <Connector> eventually ends 
up :).



-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message