tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Mon, 23 Jan 2012 19:28:08 GMT

--- Comment #6 from Michael <> 2012-01-23 19:28:08 UTC ---
Dear Mark,
Thank you for the fastest comment!

>Patches should be provided in diff -u format against, in preference order:

I will try to do it when we will finalize patch.

>The intended way to do this is to override the Realm implementation and >provide an
alternative implementation of getPrincipal(X509Certificate).

I have tried to explore the best way to provide the patch.
All realms in Tomcat extend RealmBase.
Do you suggest to create the new realm that will extend RealmBase (with the new
implementation of getPrincipal) and all realms will extend the realm? 
Or do you want to override each realm?

>I'd be prepared to consider changes to RealmBase to provide options for
>extracting the user name from the certificate but I am -1 on doing this in >the Authenticators.

I just need Authenticator for the configuration and I need your help with the
realm configuration.

Can you explain me how can I configure realms?

>An additional dependency on bouncy castle is not acceptable. On that topic,
>what is wrong with X509Certificate.getSubjectAlternativeNames() that has 
>been present since Java 1.4?

The SubjectAlternativeNameRetriever class uses
Unfortunately, generally the SubjectAlternativeName is stored in
I use the bouncy castle classes to convert the value to string. Is bouncy
castle open source?
Why it is not possible to copy 5 sources in the Tomcat baseline?
Alternatively, do you know in Apache foundation a library that provides the
following services:

Thanks and best regards,

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message