tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <>
Subject Re: SSL Client authentication woes
Date Thu, 02 Oct 2003 06:06:37 GMT

"Christopher Williams" <> wrote in message
> My setup:
> Windows XP Pro
> JDK 1.4.1
> JWSDP 1.0
> I'm hoping to get SSL client authentication working for web services.  I
> up Tomcat for SSL ages ago and it works fine.  However, I run into
> problems when I attempt to use SSL client authentication.
> I have enabled client authentication by changing the value of "clientAuth"
> in server.xml to true.  I removed all <security-constraint> and
> <login-config> entries from my web.xml as they didn't appear to have any
> effect (question: am I right to do so?  I've done my research on the web
> there are no consistent instructions for what to do).

Tomcat currently has only very light support for this, but this is
orthogonal to your current problem.

> When I access https://localhost:8443/ in Internet Explorer, I get notified
> that a private key is being used and the server home page displays fine.
> However, when I first access the page, the following stack trace appears
> Tomcat's console:
>      PoolTcpEndpoint: Handshake failed
> Remote host closed connection
> during handshake
>      ...
>      Caused by: SSL peer shut down incorrectly
>          at
>          ... 7 more
>      ThreadPool: Caught exception executing
>, terminating thread
>      java.lang.NullPointerException
>         at
>         ...
> Does anybody know what the problem is here?

Tomcat obviously doesn't like your client-cert, or (more likely) you don't
have any.  By default, only Verisign & Thwate signed client certs are
recoginized (at least with Sun's JVM).  If this is your problem, then you
need to set up a TrustStore (or import the signer into cacerts).  Searching
the archives for 'TrustStore' will give you an answer faster than waiting on

> The second thing is, I want to know who's accessing pages and web
> That's the whole point of authentication, right?  However, when SSL client
> authentication is in force, the following calls all return null:
>     request.getUserPrincipal()
>     request.getRemoteUser()
>     request.getAttribute("javax.servlet.request.X509Certificate")
>     request.getAttribute("org.apache.coyote.request.X509Certificate")
> This seems most bizarre.  At some point these calls must return non-null
> values as they are used in
> org.apache.catalina.authenticator.SSLAuthenticator.  Does anybody know
> whether there are any server settings to make these calls return the
> values?
> Ideally, I would like to have just one or two URL-patterns protected by
> like you do with HTTP authentication rather than it being all or nothing.
> Is this possible with Tomcat?

This is in the FAQ.

> Kind regards,
> Chris Williams.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message