On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote:
>
> "Alex Tang" <[EMAIL PROTECTED]> wrote in message
> [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > Hi folks.
> >
> > I was wondering if it's possible to get client certificate information
> > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or an
> > external webserver).
> >
> > I can setup tomcat so that it requires client-auth properly, however I
> > don't seem to be able to programmatically get at any of the certificate
> > information.
> >
>
> This sounds like you've found the clientauth="true" attribute on the
> Http10Connector element. This causes Tomcat to requre a client cert for
> each SSL request (unlike TC 4.x, it's an all-or-nothing setting).
Hi bill. Thanks for your response.
Yes, i did find "clientauth='true'". It does make my tc 3.3.1 instance
require a client-cert for everything.
> You should then be able to access the top-level cert (all that can be
> exposed under the 2.2 Servlet-spec :() via
> 'request.getAttribute("javax.servlet.request.X509Certificate")'. As per
> section 5.7 of the 2.2 spec, this will be of type
> java.security.cert.X509Certificate.
>
> I haven't tried this with the Http10Connector for a very long time (it seems
> to work fine with the 3.3.2-dev CoyoteConnector). If you are still having
> problems, please report it to http://nagoya.apache.org/bugzilla/.
OK, this is getting more bizarre (well, for me at least). Orignally, i
was testing using SnoopServlet, and looking the values of "Request
attributes:" (which just iterating over the Enumeration returned from
"request.getAttributeNames()").
When using apache and mod_jk, i am getting the attributes:
javax.servlet.request.cipher_suite
javax.servlet.request.X509Certificate
javax.servlet.request.ssl_session
(Thanks to your reference, I realize that only the X509Certificate
attribute is required by the servlet 2.2 spec.)
When running in tomcat standalone, i get an empty Enumeration returned
from "request.getAttributeNames()". I thought that the cert information was
not available. However, if i do
request.getAttribute ( "javax.servlet.request.X509Certificate" );
a valid X509Certificate array is returned.
Why is this attribute not showing up when doing
"request.getAttributeNames()"? A sample servlet and the response i'm
receiving is included below.
Thanks again.
...alex...
FYI: Here's a test servlet (basically a modified SnoopServlet):
---------------------------------------------------------------------------
import java.io.IOException;
import java.io.PrintWriter;
import java.util.*;
import javax.servlet.*;
import javax.servlet.http.*;
import java.security.cert.*;
public class TestServlet extends HttpServlet {
public void doGet(HttpServletRequest request, HttpServletResponse response)
throws ServletException, IOException
{
PrintWriter out = response.getWriter();
response.setContentType("text/plain");
out.println("Test Servlet");
out.println();
out.println("Dumping Request attributes:");
Enumeration e = request.getAttributeNames();
while (e.hasMoreElements()) {
String key = (String)e.nextElement();
Object value = request.getAttribute(key);
out.println(" " + key + " = " + value);
}
out.println("END Request attributes:");
out.println();
out.println("Dumping request attribute " +
"javax.servlet.request.X509Certificate" );
X509Certificate[] certs = (X509Certificate[])request.getAttribute (
"javax.servlet.request.X509Certificate" );
if ( certs != null ) {
for ( int i = 0; i < certs.length; i++ ) {
out.println ( " CERT " + i + ": " +
certs[i].getSubjectDN().getName() );
}
}
out.println("END request attribute " +
"javax.servlet.request.X509Certificate" );
}
}
---------------------------------------------------------------------------
When I use tomcat 3.3.1 in standalone, i get the following results:
---------------------------------------------------------------------------
Test Servlet
Dumping Request attributes:
END Request attributes:
Dumping request attribute javax.servlet.request.X509Certificate
CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
END request attribute javax.servlet.request.X509Certificate
---------------------------------------------------------------------------
And for comparison, when i use apache and mod_jk, i get the following:
---------------------------------------------------------------------------
Test Servlet
Dumping Request attributes:
javax.servlet.request.cipher_suite = RC4-MD5
javax.servlet.request.X509Certificate = [Ljava.security.cert.X509Certificate;@203c31
javax.servlet.request.ssl_session =
77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915
END Request attributes:
Dumping request attribute javax.servlet.request.X509Certificate
CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
---------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
