tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: In apache-tomcat-7.0.40 want to set Client auth dynamically
Date Tue, 29 Oct 2013 18:44:25 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Sushil,

On 10/29/13, 4:27 AM, Mark Thomas wrote:
> On 29/10/2013 05:57, Sushil Prusty wrote:
>> Hi All,
>> 
>> 
>> In server.xml i need to setup clientauth value dynamically .Is
>> there any java apace api available to set value at runtime or any
>> other alternative option ?
>> 
>> <Connector  clientAuth="false" .......>
> 
> The behaviour varies by connector.
> 
> The BIO connector uses the value for clientAuth when the server
> socket is created and doesn't update it. It looks like it should be
> possible to update it dynamically but the code doesn't do that.
> 
> The NIO connector uses the value for clientAuth at the point where
> the client makes a connection. Therefore dynamic updates to
> clientAuth (e.g. via JMX) should take effect with the next
> attempted connection.
> 
> The APR connector uses a different attribute so I guess you aren't
> using it. For completeness, it uses the value when the server
> socket is created and doesn't update it. It might be possible to
> update it dynamically but the code doesn't do that.

Another option is to set clientAuth="want" and then implement the
cert-checking yourself.

See a post of mine from the archives that includes the
relatively-simple Java code to check the certificate chain (note that
it's not using OCSP or anything like that):
http://markmail.org/message/kzxsamuiu6bldjmv

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJScAIHAAoJEBzwKT+lPKRYxFEP/3jxMblvqFDjk0/1VTLm6UUz
UdJqpZZBxkMgXnv91zslAMDNfUh/HcG8mjsyNPhKQNenYz9kT4hmoGNaszpZD3cX
64NQbDAvAxwKGFZHaQTSqH/0C9v1aZ97efrl+cagGhnPhZ50S+RCY3u5iD+btSQD
p/uLzhaX46aiEbj6cxxWO13IZMLT42nTeGlyglGb5rHgdGZ8Uc/DBTGXus1dBGrK
wrWzSQunOvVv3ZddmIwwxfrW9b/uuUMf6l0F28kp2aNhd0e4LfpxohtgfW7iO22h
wzuwtqRqCphkAHQ2rUMnlcdG3pSSKZMvJb2TnmeLhNrkc80NHDLG2w1YhKPJdJ3S
GN8ZQDpCHvHwoH2Duh23HSqrcAX1NPb9Jhr1Et3Wnf1YYV1eSRPX8fOSBUJVw/bj
AYoppMy37C+Za8H+Bf8MsoAjZVSyRsADLbxX4h7dVDZZpE5hXtgBmtsWNsGxNXmC
qdhLdpueMV2Pprm0jkcL9IuUjVvzwmEuzV9U9byiNjLsSU624OKp/hKZdIYbEWDM
bBFR4+Ahv/IFpLdquTjtf/b/XgG5KCKRRoShLvnUjRTx/N5AHigpbXmskPY96a39
VoEgzC8RruEB0P6J9TOmwjGN7eMt9+WW6Y3SuOrDX4R6tV8lyRKqvUQHuL1CZm+k
+C8Ps/w8y8Tl7JW7WBw4
=n0Y7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message