tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Wed, 01 Feb 2012 20:57:49 GMT
https://issues.apache.org/bugzilla/show_bug.cgi?id=52500

--- Comment #16 from Christopher Schultz <chris@christopherschultz.net> 2012-02-01 20:57:49
UTC ---
(In reply to comment #11)
> - I have provided a default transformation that is the same as the current code
> - DefaultSubjectDnRetriever 
> 
> Any case, I strongly recommend to add additional transformations out of the box
> since it will allow to use Tomcat for the client certificate authentication.
> It will allow easy configuration to do it. See and the examples below: 
> <Realm className="…" x509UserIdentifierRetrieveField="SubjectAlternativeName" 
> x509UserIdentifierRetrieveFieldPart="otherName" />

I think the idea was that you would be able to configure the realm like this:

<Realm className="..." x509UserIdentifierRetriever="....SubjectDnRetriever" />

(Where my example shown above is the default)

That way, the x509UserItentifierRetriever can support whatever requirements are
necessary in the deployment environment, rather than having a large list of
attributes for RealmBase to juggle-around.

> I also can contribute the attached x509Configuration.docx for better
> explanation.

In the future, please provide more democratic documentation. For instance,
plain-text or OpenDocument format. Plain text is better because it does not
require a viewer external to the we browser.

> In addition, I strongly recommend to add out of the box
> SubjectAlternativeNameRetriever.

Let's get the interface nailed-down first, then we can implement as many
UserIdentifierRetrievers as are appropriate.

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message