tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Extended Validation Certificates Support JNDIRealm
Date Fri, 21 Apr 2017 17:42:30 GMT
Hash: SHA256


(Bringing this back onto the list; apologies for inadvertently
replying off-list)

On 4/21/17 12:25 PM, Lucas S. Silva wrote:
> Hi Christopher,
> Thanks for the reply.
> Yes, the goal is to check the user certificate against some 
> configurable OIDs.

If you want to check the user certificate for some OID other than the
usual subject DN, you want to use a custom username-retriever on your

Search for "X509UsernameRetrieverClassName", then write a class that
implements that interface. You can return any String value you can
pull from the certificate. The OID is up to you. The authenticator
will use the username returned by that class's
getUsername(X509Certificate) method against whatever user data store
you have configured (e.g. DataSource/JNDI/etc.).

If you want to perform some other kind of authentication (like just
verifying that the user's certificate meets some kind of requirement,
like the validity period is less than 30 days or whatever), then you
only have a few options IMO:

1. Write your own authenticator (I'd recommend subclassing whichever
one you like already, and just add your own checks before/afetr
delegating authentication to the superclass).

2. Use a X509UsernameRetriever as above and throw an exception if the
certificate doesn't meet your requirements.

3. Write a Filter that takes the client's certificate from the request
attributes, checks it, and takes appropriate action (logout? throw an
exception? log an error?) if the cert doesn't meet your requirements.

Hope that helps.

- -chris

> On 21 April 2017 at 16:02, Christopher Schultz 
> < 
> <>> wrote:
> Lucas,
> On 4/21/17 2:55 AM, Lucas S. Silva wrote:
>> My end goal is to check the certificates OID I did some research 
>> and I found that in the RealmBase there is a method> 
>> authenticate(X509Certificate certs)
>> and int the X509Certificate there is
>> public abstract String getSigAlgOID()
>> I suspect those should help me checking the certificate
>> Assurance Levels?
> Are you trying to authenticate a user using a specific OID (which 
> one?) in the cert, or are you trying to determine if the 
> certificate is an EV certificate specifically?
> -chris
>> On 20 April 2017 at 19:50, Christopher Schultz 
>> < 
>> <>
>>> wrote:
>> Lucas,
>> On 4/20/17 1:12 PM, Lucas S. Silva wrote:
>>>>> I am trying to implement a custom JNDIRealm that will do 
>>>>> some validations based on the Extended Validation 
>>>>> Certificates like the OID it this supported by tomcat?
>> The term "Extended Validation" has a special meaning when you are
>> talking about X.509 certificates. What do you mean, here, 
>> specifically, when you say "Extended Validation Certificates"?
>>>>> Or I will just get whatever the LDAP server supports? I 
>>>>> could not find which method I would have to overwrite to 
>>>>> get the extended validation certificates:> 
>> /JNDIRealm.html
>> What,
>> specifically, are you trying to accomplish?
>> -chris
>>> --------------------------------------------------------------------
- -
>> To unsubscribe, e-mail:
> <>
>>> For additional commands, e-mail:
> <>
Comment: GPGTools -
Comment: Using GnuPG with Thunderbird -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message