Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 43921 invoked from network); 9 Nov 2006 22:28:13 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 9 Nov 2006 22:28:13 -0000 Received: (qmail 1291 invoked by uid 500); 9 Nov 2006 22:28:07 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 1265 invoked by uid 500); 9 Nov 2006 22:28:07 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 1254 invoked by uid 99); 9 Nov 2006 22:28:07 -0000 Received: from herse.apache.org (HELO herse.apache.org) (140.211.11.133) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Nov 2006 14:28:07 -0800 X-ASF-Spam-Status: No, hits=2.0 required=10.0 tests=HTML_MESSAGE X-Spam-Check-By: apache.org Received-SPF: pass (herse.apache.org: local policy) Received: from [203.25.40.70] (HELO rrmailscan1.safenetbox.biz) (203.25.40.70) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 09 Nov 2006 14:27:52 -0800 Received: from rrmailscan1.safenetbox.biz (rrmailscan1.safenetbox.biz [127.0.0.1]) by rrmailscan1.safenetbox.biz (Postfix) with ESMTP id C20323040BE for ; Fri, 10 Nov 2006 09:27:32 +1100 (EST) Received: from andrewf (unknown [10.30.149.33]) (Authenticated sender: remote) by rrmailscan1.safenetbox.biz (Postfix) with ESMTP id EE975304014 for ; Fri, 10 Nov 2006 09:27:30 +1100 (EST) From: "Andrew Friebel" To: Subject: Extracting certificate information Date: Fri, 10 Nov 2006 09:32:27 +1100 Message-ID: <002a01c7044e$eff50180$21951e0a@andrewf> MIME-Version: 1.0 Content-Type: multipart/alternative; boundary="----=_NextPart_000_002B_01C704AB.23657980" X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook, Build 10.0.2627 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Importance: Normal X-Virus-Checked: Checked by ClamAV on apache.org ------=_NextPart_000_002B_01C704AB.23657980 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit I am still trying to extract certificate information. It was suggested that I needed the following in my web.xml: CLIENT_CERT My Test Realm This didn't work, so I also added (before the login-config tag): My Test Realm /* myrole myrole After I did this, it appeared that tomcat was doing more handshaking, as I got the following error: [Fatal Error] :1:974: The element type "HR" must be terminated by the matching end-tag "". org.xml.sax.SAXParseException: The element type "HR" must be terminated by the matching end-tag "". at org.apache.xerces.parsers.AbstractSAXParser.parse(Unknown Source) at com.reynolds.webservices.ResponseSaxParser.displayDocument(ResponseSaxPa rser.java:114) at com.reynolds.webservices.ProcessInputStream.sendMsg(ProcessInputStream.j ava:260) at com.reynolds.webservices.SocketFromEra.execute(SocketFromEra.java:113) at com.reynolds.webservices.SocketFromEra.doPost(SocketFromEra.java:78) at javax.servlet.http.HttpServlet.service(HttpServlet.java:709) at javax.servlet.http.HttpServlet.service(HttpServlet.java:802) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica tionFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt erChain.java:157) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:214) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardContextValve.invokeInternal(StandardCon textValve.java:198) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:152) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :137) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java :117) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:102) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:109) at org.apache.catalina.core.StandardValveContext.invokeNext(StandardValveCo ntext.java:104) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:5 20) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:929) at org.apache.coyote.tomcat5.CoyoteAdapter.service(CoyoteAdapter.java:160) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:79 9) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC onnection(Http11Protocol.java:705) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:57 7) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool .java:683) at java.lang.Thread.run(Thread.java:534) Here is a snippet of code from the servlet that is attempting to send a message using ssl (call this servlet 1): // start code snippet String EndPoint = "https://myurl"; String bodyString = ; try{ System.setProperty("javax.net.ssl.trustStore",trustStore); System.setProperty("javax.net.ssl.trustStorePassword",trustStorePassword ); HostnameVerifier hostnameVerifier = new HostnameVerifier() { public boolean verify(String hostname, SSLSession session) { logger.error("WARNING: Hostname is not matched for certificate."); return true; } }; HttpsURLConnection.setDefaultHostnameVerifier(hostnameVerifier); } catch(Exception e){ logger.error(e.getMessage()); } URL destUrl = new URL(EndPoint); try { DocumentBuilder builder = XMLParserUtils.getXMLDocBuilder(); Document doc = builder.parse(new InputSource(new StringReader(bodyString))); Envelope msgEnvelope = new Envelope(); Vector vect = new Vector(); vect.add(doc.getDocumentElement()); Body tmpBody = new Body(); tmpBody.setBodyEntries(vect); msgEnvelope.setBody(tmpBody); Message tmpMsg = new Message(); try { tmpMsg.send(destUrl, soapAction, msgEnvelope); SOAPTransport transport = tmpMsg.getSOAPTransport(); BufferedReader resReader = transport.receive(); StringBuffer retMsg = new StringBuffer(); String retLine = ""; while ((retLine = resReader.readLine()) != null){ retMsg.append(retLine); } StringReader strReader = new StringReader(retMsg.toString()); } catch (org.apache.soap.SOAPException soape){ soape.printStackTrace(); } } catch (SAXException se) { se.printStackTrace(); } // end code snippet In servlet two, (that receives the data sent from servlet 1), I wish to extract the certificate information that was sent from servlet 1. My primary assumptions that I have made is that: * Tomcat sends the client certificate from servlet 1 * Tomcat passed the client certificate to servlet 2 once the connection has been established In servlet 2 I have various system print lines to verify my output. These lines never get printed, so the stack trace from above is the tomcat SSL handshaking (I do not know where the "HR" tag is coming from). The doPost method of servlet 2 currently looks like: // start code snippet System.out.println("Auth Type = " + request.getAuthType()); System.out.println("Char Encoding = " + request.getCharacterEncoding()); System.out.println("Remote Address = " + request.getRemoteAddr()); System.out.println("Remote Host = " + request.getRemoteHost()); System.out.println("Protocol = " + request.getProtocol()); System.out.println("Scheme = " + request.getScheme()); X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); if (certs == null) { // Processed a request that did not contain a client certificate. System.out.println("No certificates"); } else { // Attempt to extract principal name from Subject: String clientDN = certs[0].getSubjectDN().getName(); System.out.println("Client DN = " + clientDN); } // end code snippet I have been told to change "certs == null" to "request.getAuthType()==request.CLIENT_CERT_AUTH", which is fine, but at the moment, servlet 2 is not been executed. Has anyone got any ideas/suggestions/guidance that can assist? Regards, Andrew Friebel ------=_NextPart_000_002B_01C704AB.23657980--