tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Andrew Friebel" <andr...@reynolds.com.au>
Subject Extracting certificate information
Date Thu, 09 Nov 2006 22:32:27 GMT
I am still trying to extract certificate information.  It was suggested
that I needed the following in my web.xml:
 
<login-config>
     <auth-method>CLIENT_CERT</auth-method>
     <realm-name>My Test Realm</realm-name>
</login-config>
 
This didn't work, so I also added (before the login-config tag):
 
<security-constraint>
   <web-resource-collection>
      <web-resource-name>My Test Realm</web-resource-name>
      <url-pattern>/*</url-pattern>
   </web-resource-collection>
   <auth-constraint>
      <role-name>myrole</role-name>
   </auth-constraint>
</security-constraint>
 
<security-role>
   <role-name>myrole</role-name>
</security-role>
 
 
After I did this, it appeared that tomcat was doing more handshaking, as
I got the following error:
 
 
[Fatal Error] :1:974: The element type "HR" must be terminated by the
matching end-tag "</HR>".
org.xml.sax.SAXParseException: The element type "HR" must be terminated
by the matching end-tag "</HR>".
        at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown
Source)
        at
com.reynolds.webservices.ResponseSaxParser.displayDocument(ResponseSaxPa
rser.java:114)
        at
com.reynolds.webservices.ProcessInputStream.sendMsg(ProcessInputStream.j
ava:260)
        at
com.reynolds.webservices.SocketFromEra.execute(SocketFromEra.java:113)
        at
com.reynolds.webservices.SocketFromEra.doPost(SocketFromEra.java:78)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:709)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:802)
        at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:237)
        at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:157)
        at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:214)
        at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
        at
org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCon
textValve.java:198)
        at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:152)
        at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
        at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:137)
        at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
        at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:117)
        at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:102)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
        at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:109)
        at
org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo
ntext.java:104)
        at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5
20)
        at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929)
        at
org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160)
        at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79
9)
        at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:705)
        at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57
7)
        at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:683)
        at java.lang.Thread.run(Thread.java:534)
 
Here is a snippet of code from the servlet that is attempting to send a
message using ssl (call this servlet 1):
 
// start code snippet
 
 
String EndPoint = "https://myurl";
String bodyString = <previously defined xml string>;
try{
                                    
   System.setProperty("javax.net.ssl.trustStore",trustStore);
 
System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword
);
                                    
   HostnameVerifier hostnameVerifier = new HostnameVerifier()
                                    
   {
      public boolean verify(String hostname, SSLSession session)
      {
            logger.error("WARNING: Hostname is not matched for
certificate.");
            return true;
      }
   };
                                                
   HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier);
                                                
} catch(Exception e){
   logger.error(e.getMessage());
}           
                        
URL destUrl = new URL(EndPoint);
                        
try {
                                    
   DocumentBuilder builder = XMLParserUtils.getXMLDocBuilder();
   Document doc = builder.parse(new InputSource(new
StringReader(bodyString)));
 
   Envelope msgEnvelope = new Envelope();
   Vector vect = new Vector();
   vect.add(doc.getDocumentElement());
   Body tmpBody = new Body();
   tmpBody.setBodyEntries(vect);
   msgEnvelope.setBody(tmpBody);
                                    
   Message tmpMsg = new Message();
                                                                        
   try {
                                                
      tmpMsg.send(destUrl, soapAction, msgEnvelope);
                                                
      SOAPTransport transport = tmpMsg.getSOAPTransport();
      BufferedReader resReader = transport.receive();
                                                
      StringBuffer retMsg = new StringBuffer();
                                                
      String retLine = "";
                                                
      while ((retLine = resReader.readLine()) != null){
         retMsg.append(retLine);
      }
      StringReader strReader = new StringReader(retMsg.toString());
 
                                                
   } catch (org.apache.soap.SOAPException soape){
      soape.printStackTrace();
   }
                                    
} catch (SAXException se) {
   se.printStackTrace();
}
 
 
// end code snippet
 
 
In servlet two, (that receives the data sent from servlet 1), I wish to
extract the certificate information that was sent from servlet 1.  My
primary assumptions that I have made is that:
 
*	Tomcat sends the client certificate from servlet 1
*	Tomcat passed the client certificate to servlet 2 once the
connection has been established
 
 
In servlet 2 I have various system print lines to verify my output.
These lines never get printed, so the stack trace from above is the
tomcat SSL handshaking (I do not know where the "HR" tag is coming
from).  The doPost method of servlet 2 currently looks like:
 
// start code snippet
 
System.out.println("Auth Type = " + request.getAuthType());
System.out.println("Char Encoding = " + request.getCharacterEncoding());
System.out.println("Remote Address = " + request.getRemoteAddr());
System.out.println("Remote Host = " + request.getRemoteHost());
System.out.println("Protocol = " + request.getProtocol());
System.out.println("Scheme = " + request.getScheme());
 
                        
X509Certificate[] certs = (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");
                        
if (certs == null) {
//                      Processed a request that did not contain a
client certificate.
   System.out.println("No certificates");
} else {
//                      Attempt to extract principal name from Subject:
   String clientDN = certs[0].getSubjectDN().getName();
   System.out.println("Client DN = " + clientDN);
}
 
// end code snippet
 
I have been told to change "certs == null" to
"request.getAuthType()==request.CLIENT_CERT_AUTH", which is fine, but at
the moment, servlet 2 is not been executed.
 
Has anyone got any ideas/suggestions/guidance that can assist?
 
Regards,
Andrew Friebel

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message