tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Mon, 23 Jan 2012 13:22:16 GMT

--- Comment #3 from Michael <> 2012-01-23 13:22:16 UTC ---
I want to improve current implementation of the client certificate
authentication (SSLAuthenticator)
Current implementation of SSLAuthenticator takes the user identifier from the
whole SubjectDN.
During my work with our enterprise customers I have found the following:
1)    It is common case when the user identifier is stored in the Subject
Alternative Name of the client certificate.
2)    When the user identifier is stored in the SubjectDN of the client
certificate it can be stored in e-mail, CN or in the hold SubjectDN
See the attached x509Examples.docx
I recommend to improve the Tomcat client certificate authentication and allow
to take user identifier from the Subject Alternative Name or from SubjectDN. 
The attached code allows to do it using the following configuration:
    <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
userIdentifierRetrieveFieldPart="otherName" />  

    <Valve className="org.apache.catalina.authenticator.SSLAuthenticator"
userIdentifierRetrieveField="SubjectDN"  userIdentifierRetrieveFieldPart="e" /> 

The attached code already works more than year at production in more than one
Open issues:
1)    The implementation of SubjectAlternativeNameRetriever depend on bouncy
castel jar. If it is a problem possible to get all required source files into
Tomcat source files. Alternatively, it is possible not to support Subject
Alternative Name – but it is very common use case
2)    I am not sure if the configuration above is the best option – possible to
discuss it
I will happy for your comments.
Best regards,

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message