tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alex Tang <altitudes...@funkware.com>
Subject Re: 3.3.1 Standalone and Client-Auth
Date Wed, 12 Feb 2003 08:12:45 GMT
On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote:
> 
> "Alex Tang" <altitudespam@funkware.com> wrote in message
> news:20030211212626.GD27246@funkware.com...
> > Hi folks.
> >
> > I was wondering if it's possible to get client certificate information
> > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or an
> > external webserver).
> >
> > I can setup tomcat so that it requires client-auth properly, however I
> > don't seem to be able to programmatically get at any of the certificate
> > information.
> >
> 
> This sounds like you've found the clientauth="true" attribute on the
> Http10Connector element.  This causes Tomcat to requre a client cert for
> each SSL request (unlike TC 4.x, it's an all-or-nothing setting).

Hi bill.  Thanks for your response.

Yes, i did find "clientauth='true'".  It does make my tc 3.3.1 instance
require a client-cert for everything.  

> You should then be able to access the top-level cert (all that can be
> exposed under the 2.2 Servlet-spec :() via
> 'request.getAttribute("javax.servlet.request.X509Certificate")'.  As per
> section 5.7 of the 2.2 spec, this will be of type
> java.security.cert.X509Certificate.
> 
> I haven't tried this with the Http10Connector for a very long time (it seems
> to work fine with the 3.3.2-dev CoyoteConnector).  If you are still having
> problems, please report it to http://nagoya.apache.org/bugzilla/.


OK, this is getting more bizarre (well, for me at least).  Orignally, i
was testing using SnoopServlet, and looking the values of "Request
attributes:" (which just iterating over the Enumeration returned from
"request.getAttributeNames()").  

When using apache and mod_jk, i am getting the attributes: 

   javax.servlet.request.cipher_suite 
   javax.servlet.request.X509Certificate
   javax.servlet.request.ssl_session

(Thanks to your reference, I realize that only the X509Certificate
attribute is required by the servlet 2.2 spec.)

When running in tomcat standalone, i get an empty Enumeration returned
from "request.getAttributeNames()".  I thought that the cert information was
not available.  However, if i do 

    request.getAttribute ( "javax.servlet.request.X509Certificate" );

a valid X509Certificate array is returned.  

Why is this attribute not showing up when doing
"request.getAttributeNames()"?  A sample servlet and the response i'm
receiving is included below.

Thanks again.

...alex...


FYI: Here's a test servlet (basically a modified SnoopServlet):

---------------------------------------------------------------------------
import java.io.IOException;
import java.io.PrintWriter;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.cert.*;

public class TestServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException
    {   
        PrintWriter out = response.getWriter();
        response.setContentType("text/plain");

        out.println("Test Servlet");
        out.println();

        out.println("Dumping Request attributes:");
        Enumeration e = request.getAttributeNames();

        while (e.hasMoreElements()) {
            String key = (String)e.nextElement();
            Object value = request.getAttribute(key);
            out.println("   " + key + " = " + value);
        }


        out.println("END Request attributes:");
        out.println();

        out.println("Dumping request attribute " +
                "javax.servlet.request.X509Certificate" );

        X509Certificate[] certs = (X509Certificate[])request.getAttribute (
                "javax.servlet.request.X509Certificate" );
        if ( certs != null ) {
            for ( int i = 0; i < certs.length; i++ ) {
                out.println ( "  CERT " + i + ": " + 
                        certs[i].getSubjectDN().getName() );
            }
        }
        out.println("END  request attribute " +
                "javax.servlet.request.X509Certificate" );
    }
}
---------------------------------------------------------------------------


When I use tomcat 3.3.1 in standalone, i get the following results:

---------------------------------------------------------------------------
    Test Servlet

    Dumping Request attributes:
    END Request attributes:

    Dumping request attribute javax.servlet.request.X509Certificate
      CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
    END  request attribute javax.servlet.request.X509Certificate
---------------------------------------------------------------------------

And for comparison, when i use apache and mod_jk, i get the following:



---------------------------------------------------------------------------
Test Servlet

Dumping Request attributes:
   javax.servlet.request.cipher_suite = RC4-MD5
   javax.servlet.request.X509Certificate = [Ljava.security.cert.X509Certificate;@203c31
   javax.servlet.request.ssl_session = 77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915
END Request attributes:

Dumping request attribute javax.servlet.request.X509Certificate
  CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US

---------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message