tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: 3.3.1 Standalone and Client-Auth
Date Thu, 13 Feb 2003 07:30:17 GMT

"Alex Tang" <altitudespam@funkware.com> wrote in message
news:20030212081245.GA27615@funkware.com...
> On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote:
> >
> > "Alex Tang" <altitudespam@funkware.com> wrote in message
> > news:20030211212626.GD27246@funkware.com...
> > > Hi folks.
> > >
> > > I was wondering if it's possible to get client certificate information
> > > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or
an
> > > external webserver).
> > >
> > > I can setup tomcat so that it requires client-auth properly, however I
> > > don't seem to be able to programmatically get at any of the
certificate
> > > information.
> > >
> >
> > This sounds like you've found the clientauth="true" attribute on the
> > Http10Connector element.  This causes Tomcat to requre a client cert for
> > each SSL request (unlike TC 4.x, it's an all-or-nothing setting).
>
> Hi bill.  Thanks for your response.
>
> Yes, i did find "clientauth='true'".  It does make my tc 3.3.1 instance
> require a client-cert for everything.
>
> > You should then be able to access the top-level cert (all that can be
> > exposed under the 2.2 Servlet-spec :() via
> > 'request.getAttribute("javax.servlet.request.X509Certificate")'.  As per
> > section 5.7 of the 2.2 spec, this will be of type
> > java.security.cert.X509Certificate.
> >
> > I haven't tried this with the Http10Connector for a very long time (it
seems
> > to work fine with the 3.3.2-dev CoyoteConnector).  If you are still
having
> > problems, please report it to http://nagoya.apache.org/bugzilla/.
>
>
> OK, this is getting more bizarre (well, for me at least).  Orignally, i
> was testing using SnoopServlet, and looking the values of "Request
> attributes:" (which just iterating over the Enumeration returned from
> "request.getAttributeNames()").
>
> When using apache and mod_jk, i am getting the attributes:
>
>    javax.servlet.request.cipher_suite
>    javax.servlet.request.X509Certificate
>    javax.servlet.request.ssl_session
>
> (Thanks to your reference, I realize that only the X509Certificate
> attribute is required by the servlet 2.2 spec.)
>
> When running in tomcat standalone, i get an empty Enumeration returned
> from "request.getAttributeNames()".  I thought that the cert information
was
> not available.  However, if i do
>
>     request.getAttribute ( "javax.servlet.request.X509Certificate" );
>
> a valid X509Certificate array is returned.
>
> Why is this attribute not showing up when doing
> "request.getAttributeNames()"?  A sample servlet and the response i'm
> receiving is included below.
>
> Thanks again.

Because it is expensive to compute for people that don't care about it, this
attribute is a lazy-evalution one.  It only shows up after you request it.
There is not (currently) a method in the mod_jk protocol to call-back for
the SSL attributes, so it collects and sends them all (despite the cost :).
That's why you see it using mod_jk.

>
> ...alex...
>
>
> FYI: Here's a test servlet (basically a modified SnoopServlet):
>
> --------------------------------------------------------------------------
-
> import java.io.IOException;
> import java.io.PrintWriter;
> import java.util.*;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import java.security.cert.*;
>
> public class TestServlet extends HttpServlet {
>
>     public void doGet(HttpServletRequest request, HttpServletResponse
response)
>         throws ServletException, IOException
>     {
>         PrintWriter out = response.getWriter();
>         response.setContentType("text/plain");
>
>         out.println("Test Servlet");
>         out.println();
>
>         out.println("Dumping Request attributes:");
>         Enumeration e = request.getAttributeNames();
>
>         while (e.hasMoreElements()) {
>             String key = (String)e.nextElement();
>             Object value = request.getAttribute(key);
>             out.println("   " + key + " = " + value);
>         }
>
>
>         out.println("END Request attributes:");
>         out.println();
>
>         out.println("Dumping request attribute " +
>                 "javax.servlet.request.X509Certificate" );
>
>         X509Certificate[] certs = (X509Certificate[])request.getAttribute
(
>                 "javax.servlet.request.X509Certificate" );
>         if ( certs != null ) {
>             for ( int i = 0; i < certs.length; i++ ) {
>                 out.println ( "  CERT " + i + ": " +
>                         certs[i].getSubjectDN().getName() );
>             }
>         }
>         out.println("END  request attribute " +
>                 "javax.servlet.request.X509Certificate" );
>     }
> }
> --------------------------------------------------------------------------
-
>
>
> When I use tomcat 3.3.1 in standalone, i get the following results:
>
> --------------------------------------------------------------------------
-
>     Test Servlet
>
>     Dumping Request attributes:
>     END Request attributes:
>
>     Dumping request attribute javax.servlet.request.X509Certificate
>       CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
>     END  request attribute javax.servlet.request.X509Certificate
> --------------------------------------------------------------------------
-
>
> And for comparison, when i use apache and mod_jk, i get the following:
>
>
>
> --------------------------------------------------------------------------
-
> Test Servlet
>
> Dumping Request attributes:
>    javax.servlet.request.cipher_suite = RC4-MD5
>    javax.servlet.request.X509Certificate =
[Ljava.security.cert.X509Certificate;@203c31
>    javax.servlet.request.ssl_session =
77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915
> END Request attributes:
>
> Dumping request attribute javax.servlet.request.X509Certificate
>   CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
>
> --------------------------------------------------------------------------
-




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message