tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Mon, 13 Feb 2012 20:51:40 GMT

--- Comment #22 from Christopher Schultz <> 2012-02-13 20:51:40
UTC ---
> Please find attached patch that provide OOTB UserNameRetriever that retrieve
> the user name from SubjectDN without any additional dependency.

That looks great.

> I have added the UserNameRetrieverDecorator class that allows to load the user
> provided UserNameRetriever. In addition, I have added the
> UserNameRetrieverConfiguration interface that allow to configure the user
> provided UserNameRetriever

I'm not sure why either of these are necessary. I think that UserNameRetriever
(maybe a better name would be X509UserNameRetriever now that I think about it)
interface, the SubjectDNRetriever, and minimal changes to RealmBase.

Note that no changes are required to the Realm interface: the selection of a
UserNameRetriever is an implementation detail that can safely be left in

> Please find the attached html file – I promise to convert it to the simple txt
> file when the patch fill be finalized.

The best thing to do is to have a decent patch against the Tomcat configuration
documentation. Look at the file webapps/docs/config/realm.xml for the source to
the current "Realm" configuration page: that's the proper place to document the
new configuration attributes and describe how they can be used. Also, the
javadocs should contain similar information (although obviously not XML-related
because XML isn't part of the API itself). Basically, no documentation should
be required that isn't part of your patch.

I'm happy to commit your patch with the above changes. If you'd like to take
another crack at an updated patch, that's fine, too. If you do submit another
one, please don't include "@author" tags in the source files: it's been our
policy for some time not to include @author tags, though there certainly are
many in the code that have been there for a long time and might not be purged
just because nobody cares enough to do so. Don't worry, you'll get your name
into the change log :)

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message