tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 41337] - Display an error page if no cert is available on CLIENT-CERT login
Date Tue, 30 Jan 2007 16:08:45 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG·
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41337>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND·
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41337





------- Additional Comments From juliusdavies@gmail.com  2007-01-30 08:08 -------
Hi,

The only way to present a useful error page is to establish a socket.  JSSE
won't let the socket happen if there's a problem with a client cert.  In my mind
the only way to provide a useful error page would be to for Tomcat to only ever
use "setWantClientAuth" (which isn't even available pre Java 1.4 !), and to draw
an HTML error page for all requests if "need=true" is set in Tomcat's own config.

It's nicer to just leave all this stuff up to JSSE and not worry about it.  By
circumventing JSSE's "no socket for you" security, Tomcat risks making itself
insecure, even though a helpful error page would be *really* handy!

Workaround:  set your own SSL config in Tomcat to "WANT" instead of "NEED" (in
server.xml) and setup your own ServletFilter on "/*" that draws a nice error
page if no client cert is provided.

<Connector 
           port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true";
           sslProtocol="TLS"

clientAuth="want"
/>


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message