Return-Path: 
 <tomcat-user-return-52830-qmlist-jakarta-archive-tomcat-user=nagoya.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org
Received: (qmail 82136 invoked from network); 12 Feb 2003 10:24:14 -0000
Received: from exchange.sun.com (192.18.33.10)
  by daedalus.apache.org with SMTP; 12 Feb 2003 10:24:14 -0000
Received: (qmail 1627 invoked by uid 97); 12 Feb 2003 10:25:57 -0000
Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org
Received: (qmail 1619 invoked from network); 12 Feb 2003 10:25:57 -0000
Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12)
  by nagoya.betaversion.org with SMTP; 12 Feb 2003 10:25:57 -0000
Received: (qmail 80483 invoked by uid 500); 12 Feb 2003 10:23:52 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Subscribe: <mailto:tomcat-user-subscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 29461 invoked from network); 12 Feb 2003 08:12:33 -0000
Date: Wed, 12 Feb 2003 00:12:45 -0800
From: Alex Tang <altitudespam@funkware.com>
To: Tomcat Users List <tomcat-user@jakarta.apache.org>
Subject: Re: 3.3.1 Standalone and Client-Auth
Message-ID: <20030212081245.GA27615@funkware.com>
References: <20030211212626.GD27246@funkware.com>
 <b2cppa$tm4$1@main.gmane.org>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <b2cppa$tm4$1@main.gmane.org>
User-Agent: Mutt/1.5.1i
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N

On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote:
> 
> "Alex Tang" <altitudespam@funkware.com> wrote in message
> news:20030211212626.GD27246@funkware.com...
> > Hi folks.
> >
> > I was wondering if it's possible to get client certificate information
> > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or an
> > external webserver).
> >
> > I can setup tomcat so that it requires client-auth properly, however I
> > don't seem to be able to programmatically get at any of the certificate
> > information.
> >
> 
> This sounds like you've found the clientauth="true" attribute on the
> Http10Connector element.  This causes Tomcat to requre a client cert for
> each SSL request (unlike TC 4.x, it's an all-or-nothing setting).

Hi bill.  Thanks for your response.

Yes, i did find "clientauth='true'".  It does make my tc 3.3.1 instance
require a client-cert for everything.  

> You should then be able to access the top-level cert (all that can be
> exposed under the 2.2 Servlet-spec :() via
> 'request.getAttribute("javax.servlet.request.X509Certificate")'.  As per
> section 5.7 of the 2.2 spec, this will be of type
> java.security.cert.X509Certificate.
> 
> I haven't tried this with the Http10Connector for a very long time (it seems
> to work fine with the 3.3.2-dev CoyoteConnector).  If you are still having
> problems, please report it to http://nagoya.apache.org/bugzilla/.


OK, this is getting more bizarre (well, for me at least).  Orignally, i
was testing using SnoopServlet, and looking the values of "Request
attributes:" (which just iterating over the Enumeration returned from
"request.getAttributeNames()").  

When using apache and mod_jk, i am getting the attributes: 

   javax.servlet.request.cipher_suite 
   javax.servlet.request.X509Certificate
   javax.servlet.request.ssl_session

(Thanks to your reference, I realize that only the X509Certificate
attribute is required by the servlet 2.2 spec.)

When running in tomcat standalone, i get an empty Enumeration returned
from "request.getAttributeNames()".  I thought that the cert information was
not available.  However, if i do 

    request.getAttribute ( "javax.servlet.request.X509Certificate" );

a valid X509Certificate array is returned.  

Why is this attribute not showing up when doing
"request.getAttributeNames()"?  A sample servlet and the response i'm
receiving is included below.

Thanks again.

...alex...


FYI: Here's a test servlet (basically a modified SnoopServlet):

---------------------------------------------------------------------------
import java.io.IOException;
import java.io.PrintWriter;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.cert.*;

public class TestServlet extends HttpServlet {

    public void doGet(HttpServletRequest request, HttpServletResponse response)
        throws ServletException, IOException
    {   
        PrintWriter out = response.getWriter();
        response.setContentType("text/plain");

        out.println("Test Servlet");
        out.println();

        out.println("Dumping Request attributes:");
        Enumeration e = request.getAttributeNames();

        while (e.hasMoreElements()) {
            String key = (String)e.nextElement();
            Object value = request.getAttribute(key);
            out.println("   " + key + " = " + value);
        }


        out.println("END Request attributes:");
        out.println();

        out.println("Dumping request attribute " +
                "javax.servlet.request.X509Certificate" );

        X509Certificate[] certs = (X509Certificate[])request.getAttribute (
                "javax.servlet.request.X509Certificate" );
        if ( certs != null ) {
            for ( int i = 0; i < certs.length; i++ ) {
                out.println ( "  CERT " + i + ": " + 
                        certs[i].getSubjectDN().getName() );
            }
        }
        out.println("END  request attribute " +
                "javax.servlet.request.X509Certificate" );
    }
}
---------------------------------------------------------------------------


When I use tomcat 3.3.1 in standalone, i get the following results:

---------------------------------------------------------------------------
    Test Servlet

    Dumping Request attributes:
    END Request attributes:

    Dumping request attribute javax.servlet.request.X509Certificate
      CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
    END  request attribute javax.servlet.request.X509Certificate
---------------------------------------------------------------------------

And for comparison, when i use apache and mod_jk, i get the following:



---------------------------------------------------------------------------
Test Servlet

Dumping Request attributes:
   javax.servlet.request.cipher_suite = RC4-MD5
   javax.servlet.request.X509Certificate = [Ljava.security.cert.X509Certificate;@203c31
   javax.servlet.request.ssl_session = 77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915
END Request attributes:

Dumping request attribute javax.servlet.request.X509Certificate
  CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US

---------------------------------------------------------------------------

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org