Return-Path: Delivered-To: apmail-jakarta-tomcat-user-archive@apache.org Received: (qmail 53815 invoked from network); 13 Feb 2003 07:25:48 -0000 Received: from exchange.sun.com (192.18.33.10) by daedalus.apache.org with SMTP; 13 Feb 2003 07:25:48 -0000 Received: (qmail 6592 invoked by uid 97); 13 Feb 2003 07:27:29 -0000 Delivered-To: qmlist-jakarta-archive-tomcat-user@nagoya.betaversion.org Received: (qmail 6585 invoked from network); 13 Feb 2003 07:27:29 -0000 Received: from daedalus.apache.org (HELO apache.org) (208.185.179.12) by nagoya.betaversion.org with SMTP; 13 Feb 2003 07:27:29 -0000 Received: (qmail 52193 invoked by uid 500); 13 Feb 2003 07:25:30 -0000 Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm Precedence: bulk List-Unsubscribe: List-Subscribe: List-Help: List-Post: List-Id: "Tomcat Users List" Reply-To: "Tomcat Users List" Delivered-To: mailing list tomcat-user@jakarta.apache.org Received: (qmail 52127 invoked from network); 13 Feb 2003 07:25:29 -0000 Received: from main.gmane.org (80.91.224.249) by daedalus.apache.org with SMTP; 13 Feb 2003 07:25:29 -0000 Received: from list by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 18jDhV-0002l0-00 for ; Thu, 13 Feb 2003 08:22:29 +0100 X-Injected-Via-Gmane: http://gmane.org/ To: tomcat-user@jakarta.apache.org Received: from news by main.gmane.org with local (Exim 3.35 #1 (Debian)) id 18jDey-0002f3-00 for ; Thu, 13 Feb 2003 08:19:52 +0100 From: "Bill Barker" Subject: Re: 3.3.1 Standalone and Client-Auth Date: Wed, 12 Feb 2003 23:30:17 -0800 Lines: 175 Message-ID: References: <20030211212626.GD27246@funkware.com> <20030212081245.GA27615@funkware.com> X-Complaints-To: usenet@main.gmane.org X-MSMail-Priority: Normal X-Newsreader: Microsoft Outlook Express 5.50.4133.2400 X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 Sender: news X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N "Alex Tang" wrote in message news:20030212081245.GA27615@funkware.com... > On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote: > > > > "Alex Tang" wrote in message > > news:20030211212626.GD27246@funkware.com... > > > Hi folks. > > > > > > I was wondering if it's possible to get client certificate information > > > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or an > > > external webserver). > > > > > > I can setup tomcat so that it requires client-auth properly, however I > > > don't seem to be able to programmatically get at any of the certificate > > > information. > > > > > > > This sounds like you've found the clientauth="true" attribute on the > > Http10Connector element. This causes Tomcat to requre a client cert for > > each SSL request (unlike TC 4.x, it's an all-or-nothing setting). > > Hi bill. Thanks for your response. > > Yes, i did find "clientauth='true'". It does make my tc 3.3.1 instance > require a client-cert for everything. > > > You should then be able to access the top-level cert (all that can be > > exposed under the 2.2 Servlet-spec :() via > > 'request.getAttribute("javax.servlet.request.X509Certificate")'. As per > > section 5.7 of the 2.2 spec, this will be of type > > java.security.cert.X509Certificate. > > > > I haven't tried this with the Http10Connector for a very long time (it seems > > to work fine with the 3.3.2-dev CoyoteConnector). If you are still having > > problems, please report it to http://nagoya.apache.org/bugzilla/. > > > OK, this is getting more bizarre (well, for me at least). Orignally, i > was testing using SnoopServlet, and looking the values of "Request > attributes:" (which just iterating over the Enumeration returned from > "request.getAttributeNames()"). > > When using apache and mod_jk, i am getting the attributes: > > javax.servlet.request.cipher_suite > javax.servlet.request.X509Certificate > javax.servlet.request.ssl_session > > (Thanks to your reference, I realize that only the X509Certificate > attribute is required by the servlet 2.2 spec.) > > When running in tomcat standalone, i get an empty Enumeration returned > from "request.getAttributeNames()". I thought that the cert information was > not available. However, if i do > > request.getAttribute ( "javax.servlet.request.X509Certificate" ); > > a valid X509Certificate array is returned. > > Why is this attribute not showing up when doing > "request.getAttributeNames()"? A sample servlet and the response i'm > receiving is included below. > > Thanks again. Because it is expensive to compute for people that don't care about it, this attribute is a lazy-evalution one. It only shows up after you request it. There is not (currently) a method in the mod_jk protocol to call-back for the SSL attributes, so it collects and sends them all (despite the cost :). That's why you see it using mod_jk. > > ...alex... > > > FYI: Here's a test servlet (basically a modified SnoopServlet): > > -------------------------------------------------------------------------- - > import java.io.IOException; > import java.io.PrintWriter; > import java.util.*; > import javax.servlet.*; > import javax.servlet.http.*; > import java.security.cert.*; > > public class TestServlet extends HttpServlet { > > public void doGet(HttpServletRequest request, HttpServletResponse response) > throws ServletException, IOException > { > PrintWriter out = response.getWriter(); > response.setContentType("text/plain"); > > out.println("Test Servlet"); > out.println(); > > out.println("Dumping Request attributes:"); > Enumeration e = request.getAttributeNames(); > > while (e.hasMoreElements()) { > String key = (String)e.nextElement(); > Object value = request.getAttribute(key); > out.println(" " + key + " = " + value); > } > > > out.println("END Request attributes:"); > out.println(); > > out.println("Dumping request attribute " + > "javax.servlet.request.X509Certificate" ); > > X509Certificate[] certs = (X509Certificate[])request.getAttribute ( > "javax.servlet.request.X509Certificate" ); > if ( certs != null ) { > for ( int i = 0; i < certs.length; i++ ) { > out.println ( " CERT " + i + ": " + > certs[i].getSubjectDN().getName() ); > } > } > out.println("END request attribute " + > "javax.servlet.request.X509Certificate" ); > } > } > -------------------------------------------------------------------------- - > > > When I use tomcat 3.3.1 in standalone, i get the following results: > > -------------------------------------------------------------------------- - > Test Servlet > > Dumping Request attributes: > END Request attributes: > > Dumping request attribute javax.servlet.request.X509Certificate > CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US > END request attribute javax.servlet.request.X509Certificate > -------------------------------------------------------------------------- - > > And for comparison, when i use apache and mod_jk, i get the following: > > > > -------------------------------------------------------------------------- - > Test Servlet > > Dumping Request attributes: > javax.servlet.request.cipher_suite = RC4-MD5 > javax.servlet.request.X509Certificate = [Ljava.security.cert.X509Certificate;@203c31 > javax.servlet.request.ssl_session = 77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915 > END Request attributes: > > Dumping request attribute javax.servlet.request.X509Certificate > CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US > > -------------------------------------------------------------------------- - --------------------------------------------------------------------- To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org For additional commands, e-mail: tomcat-user-help@jakarta.apache.org