tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 52500] Improve client certificate authentication
Date Wed, 01 Feb 2012 20:57:49 GMT

--- Comment #16 from Christopher Schultz <> 2012-02-01 20:57:49
UTC ---
(In reply to comment #11)
> - I have provided a default transformation that is the same as the current code
> - DefaultSubjectDnRetriever 
> Any case, I strongly recommend to add additional transformations out of the box
> since it will allow to use Tomcat for the client certificate authentication.
> It will allow easy configuration to do it. See and the examples below: 
> <Realm className="…" x509UserIdentifierRetrieveField="SubjectAlternativeName" 
> x509UserIdentifierRetrieveFieldPart="otherName" />

I think the idea was that you would be able to configure the realm like this:

<Realm className="..." x509UserIdentifierRetriever="....SubjectDnRetriever" />

(Where my example shown above is the default)

That way, the x509UserItentifierRetriever can support whatever requirements are
necessary in the deployment environment, rather than having a large list of
attributes for RealmBase to juggle-around.

> I also can contribute the attached x509Configuration.docx for better
> explanation.

In the future, please provide more democratic documentation. For instance,
plain-text or OpenDocument format. Plain text is better because it does not
require a viewer external to the we browser.

> In addition, I strongly recommend to add out of the box
> SubjectAlternativeNameRetriever.

Let's get the interface nailed-down first, then we can implement as many
UserIdentifierRetrievers as are appropriate.

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message