tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Tue, 14 Feb 2012 17:49:48 GMT

--- Comment #24 from Christopher Schultz <> 2012-02-14 17:49:48
UTC ---
> >I'm not sure why either of these are necessary. 
> >I think that UserNameRetriever (maybe a better name 
> >would be X509UserNameRetriever now that I think about it)
> >interface, the SubjectDNRetriever, and minimal changes to RealmBase.
> I am confused. According to my understanding, we want to provide the ability to
> use a user provided X509UserNameRetriever.
> The purpose of UserNameRetrieverDecorator is to return the user name by the
> default X509UserNameRetriever if the X509UserNameRetriever provided by a user
> will return the empty user name.

I think that any X509UserNameRetriever should be required to provide something
that is non-null. There's no reason for "client code" not to extend
SubjectDNRetriever and simply delegate to the superclass if the name isn't
otherwise found. I don't think it's necessary to provide that fallback logic in
Tomcat itself: it the user is going to provide an implementation of an
X509UserNameRetriever, then it should be *the* implementation that is used, not
one of several that Tomcat has to manage.

> Regarding UserNameRetrieverConfiguration – it allow easy configuration of a
> user provided X509UserNameRetriever.

I think all we need is a single method in the RealmBase class that can accept
the name of the class. The default is SubjectDNRetriever, but the user can set
it to whatever they want.

> I think it is very useful if you create your own X509UserNameRetriever.

I'm not sure what it adds.

> >Basically, no documentation should be required 
> >that isn't part of your patch.
> So, I will not provide the client certificate description. Correct?
> Waiting for your comments.

You don't have to introduce the concept of client certificates, no.

I think it's obvious to anyone who is reading this type of documentation what
is going on: you are making it possible to customize the information used from
the client certificate to produce a username that Tomcat uses.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message