tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Tue, 24 Jan 2012 15:51:11 GMT

--- Comment #11 from Michael <> 2012-01-24 15:51:11 UTC ---
Dear Mark,
Thank you for the comments!
- I have defined an interface for transforming certs to user names -
- I have added an attribute to RealmBase that allows custom implementations of
this transform to be specified (by full class name) -
- I have modified RealmBase to use this transformation
- I have provided a default transformation that is the same as the current code
- DefaultSubjectDnRetriever 

Any case, I strongly recommend to add additional transformations out of the box
since it will allow to use Tomcat for the client certificate authentication.
It will allow easy configuration to do it. See and the examples below: 
<Realm className="…" x509UserIdentifierRetrieveField="SubjectAlternativeName" 
x509UserIdentifierRetrieveFieldPart="otherName" />
<Realm className="…" x509UserIdentifierRetrieveField="SubjectDN" 
x509UserIdentifierRetrieveFieldPart="e" />
I also can contribute the attached x509Configuration.docx for better
In addition, I strongly recommend to add out of the box
SubjectAlternativeNameRetriever. It is used by big enterprise customers. For
example, you can not take information from CAC ( without
As I stated before, I can copy 5 required classes from to
Tomcat baseline if you do not have objections.
Please find attached diff for asf/tomcat/trunk
My questions / Action items:
1)    I do not like the place that I use now to call to
createUserIdentifierRetriever method
I want to call it when Realm is instantiated and all properties are set.
I need method like afterPropertiesSet of Spring :)
Do you have something like this for Realm?
2)    I need to add Javadocs for the new methods in Realm.
I will happy for your comments.
Best regards,

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message