Author: markt
Date: Fri Jun 3 08:17:02 2011
New Revision: 1130936
URL: http://svn.apache.org/viewvc?rev=1130936&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50887
Enable the provider to be configured when generating SSL certs
Based on a patch by pknopp
Modified:
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/ajp.xml
tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Jun 3 08:17:02 2011
@@ -112,13 +112,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: markt, kkolinko
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50887
- Enable the provider to be configured when generating SSL certs
- Based on a patch by pknopp
- https://issues.apache.org/bugzilla/attachment.cgi?id=26765
- +1: markt, kkolinko, schultz
- -1:
-
* Add additional configuration options to the DIGEST authenticator
http://people.apache.org/~markt/patches/2011-04-01-digest-tc6.patch
+1: markt
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
---
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
(original)
+++
tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/LocalStrings.properties
Fri Jun 3 08:17:02 2011
@@ -44,6 +44,8 @@ errorReportValve.rootCauseInLogs=The ful
# Remote IP valve
remoteIpValve.syntax=Invalid regular expressions [{0}] provided.
+sslValve.invalidProvider=The SSL provider specified on the connector
associated with this request of [{0}] is invalid. The certificate data could
not be processed.
+
# HTTP status reports
http.100=The client may continue ({0}).
http.101=The server is switching protocols according to the "Upgrade" header
({0}).
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/valves/SSLValve.java Fri Jun
3 08:17:02 2011
@@ -20,6 +20,7 @@ package org.apache.catalina.valves;
import java.io.IOException;
import java.io.ByteArrayInputStream;
+import java.security.NoSuchProviderException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -28,7 +29,8 @@ import javax.servlet.ServletException;
import org.apache.catalina.valves.ValveBase;
import org.apache.catalina.connector.Request;
import org.apache.catalina.connector.Response;
-import org.apache.catalina.util.StringManager;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
/*
* Valve to fill the SSL informations in the request
@@ -46,8 +48,10 @@ import org.apache.catalina.util.StringMa
* @version $Id$
*/
-public class SSLValve
- extends ValveBase {
+public class SSLValve extends ValveBase {
+
+ private static final Log log = LogFactory.getLog(SSLValve.class);
+
/*
private static final String info =
"SSLValve/1.0";
@@ -87,14 +91,25 @@ public class SSLValve
// ByteArrayInputStream bais = new
ByteArrayInputStream(strcerts.getBytes("UTF-8"));
ByteArrayInputStream bais = new
ByteArrayInputStream(strcerts.getBytes());
X509Certificate jsseCerts[] = null;
+ String providerName = (String) request.getConnector().getProperty(
+ "clientCertProvider");
try {
- CertificateFactory cf =
CertificateFactory.getInstance("X.509");
+ CertificateFactory cf;
+ if (providerName == null) {
+ cf = CertificateFactory.getInstance("X.509");
+ } else {
+ cf = CertificateFactory.getInstance("X.509", providerName);
+ }
X509Certificate cert = (X509Certificate)
cf.generateCertificate(bais);
jsseCerts = new X509Certificate[1];
jsseCerts[0] = cert;
} catch (java.security.cert.CertificateException e) {
System.out.println("SSLValve failed " + strcerts);
System.out.println("SSLValve failed " + e);
+ } catch (NoSuchProviderException e) {
+ log.error(sm.getString(
+ "sslValve.invalidProvider", providerName), e);
+
}
request.setAttribute("javax.servlet.request.X509Certificate",
jsseCerts);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProcessor.java Fri
Jun 3 08:17:02 2011
@@ -22,6 +22,7 @@ import java.io.IOException;
import java.io.InterruptedIOException;
import java.net.InetAddress;
import java.nio.ByteBuffer;
+import java.security.NoSuchProviderException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -334,6 +335,20 @@ public class AjpAprProcessor implements
public void setRequiredSecret(String requiredSecret) { this.requiredSecret
= requiredSecret; }
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// --------------------------------------------------------- Public Methods
@@ -555,8 +570,13 @@ public class AjpAprProcessor implements
certData.getLength());
// Fill the elements.
try {
- CertificateFactory cf =
- CertificateFactory.getInstance("X.509");
+ CertificateFactory cf;
+ if (clientCertProvider == null) {
+ cf = CertificateFactory.getInstance("X.509");
+ } else {
+ cf = CertificateFactory.getInstance("X.509",
+ clientCertProvider);
+ }
while(bais.available() > 0) {
X509Certificate cert = (X509Certificate)
cf.generateCertificate(bais);
@@ -573,6 +593,9 @@ public class AjpAprProcessor implements
} catch (java.security.cert.CertificateException e) {
log.error(sm.getString("ajpprocessor.certs.fail"), e);
return;
+ } catch (NoSuchProviderException e) {
+ log.error(sm.getString("ajpprocessor.certs.fail"), e);
+ return;
}
request.setAttribute(AprEndpoint.CERTIFICATE_KEY, jsseCerts);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpAprProtocol.java Fri Jun
3 08:17:02 2011
@@ -315,6 +315,21 @@ public class AjpAprProtocol
public void setPollerSize(int pollerSize) {
endpoint.setPollerSize(pollerSize); }
public int getPollerSize() { return endpoint.getPollerSize(); }
+
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// -------------------------------------- AjpConnectionHandler Inner Class
@@ -421,6 +436,7 @@ public class AjpAprProtocol
processor.setAdapter(proto.adapter);
processor.setTomcatAuthentication(proto.tomcatAuthentication);
processor.setRequiredSecret(proto.requiredSecret);
+ processor.setClientCertProvider(proto.getClientCertProvider());
register(processor);
return processor;
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProcessor.java Fri Jun
3 08:17:02 2011
@@ -24,6 +24,7 @@ import java.io.InterruptedIOException;
import java.io.OutputStream;
import java.net.InetAddress;
import java.net.Socket;
+import java.security.NoSuchProviderException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
@@ -344,6 +345,20 @@ public class AjpProcessor implements Act
public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout;
}
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// --------------------------------------------------------- Public Methods
@@ -560,8 +575,13 @@ public class AjpProcessor implements Act
certData.getLength());
// Fill the elements.
try {
- CertificateFactory cf =
- CertificateFactory.getInstance("X.509");
+ CertificateFactory cf;
+ if (clientCertProvider == null) {
+ cf = CertificateFactory.getInstance("X.509");
+ } else {
+ cf = CertificateFactory.getInstance("X.509",
+ clientCertProvider);
+ }
while(bais.available() > 0) {
X509Certificate cert = (X509Certificate)
cf.generateCertificate(bais);
@@ -578,6 +598,9 @@ public class AjpProcessor implements Act
} catch (java.security.cert.CertificateException e) {
log.error(sm.getString("ajpprocessor.certs.fail"), e);
return;
+ } catch (NoSuchProviderException e) {
+ log.error(sm.getString("ajpprocessor.certs.fail"), e);
+ return;
}
request.setAttribute(JIoEndpoint.CERTIFICATE_KEY, jsseCerts);
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProtocol.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProtocol.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/ajp/AjpProtocol.java Fri Jun 3
08:17:02 2011
@@ -308,6 +308,20 @@ public class AjpProtocol
public void setKeepAliveTimeout(int timeout) { keepAliveTimeout = timeout;
}
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// -------------------------------------- AjpConnectionHandler Inner Class
@@ -407,6 +421,7 @@ public class AjpProtocol
processor.setTomcatAuthentication(proto.tomcatAuthentication);
processor.setRequiredSecret(proto.requiredSecret);
processor.setKeepAliveTimeout(proto.keepAliveTimeout);
+ processor.setClientCertProvider(proto.getClientCertProvider());
register(processor);
return processor;
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProcessor.java
Fri Jun 3 08:17:02 2011
@@ -320,8 +320,21 @@ public class Http11AprProcessor implemen
protected String server = null;
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+
// ------------------------------------------------------------- Properties
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
/**
* Return compression level.
@@ -1151,7 +1164,13 @@ public class Http11AprProcessor implemen
X509Certificate[] certs = null;
if (clientCert != null && certLength > -1) {
certs = new X509Certificate[certLength + 1];
- CertificateFactory cf =
CertificateFactory.getInstance("X.509");
+ CertificateFactory cf;
+ if (clientCertProvider == null) {
+ cf = CertificateFactory.getInstance("X.509");
+ } else {
+ cf = CertificateFactory.getInstance("X.509",
+ clientCertProvider);
+ }
certs[0] = (X509Certificate)
cf.generateCertificate(new ByteArrayInputStream(clientCert));
for (int i = 0; i < certLength; i++) {
byte[] data = SSLSocket.getInfoB(socket,
SSL.SSL_INFO_CLIENT_CERT_CHAIN + i);
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11AprProtocol.java
Fri Jun 3 08:17:02 2011
@@ -470,7 +470,22 @@ public class Http11AprProtocol implement
*/
public int getSSLVerifyDepth() { return endpoint.getSSLVerifyDepth(); }
public void setSSLVerifyDepth(int SSLVerifyDepth) {
endpoint.setSSLVerifyDepth(SSLVerifyDepth); }
+
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// -------------------- Connection handler --------------------
static class Http11ConnectionHandler implements Handler {
@@ -628,6 +643,7 @@ public class Http11AprProtocol implement
processor.setSocketBuffer(proto.socketBuffer);
processor.setMaxSavePostSize(proto.maxSavePostSize);
processor.setServer(proto.server);
+ processor.setClientCertProvider(proto.getClientCertProvider());
register(processor);
return processor;
}
Modified:
tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11NioProtocol.java
Fri Jun 3 08:17:02 2011
@@ -582,7 +582,19 @@ public class Http11NioProtocol implement
public boolean getSSLEnabled() { return ep.isSSLEnabled(); }
public void setSSLEnabled(boolean SSLEnabled) {
ep.setSSLEnabled(SSLEnabled); }
-
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
// -------------------- Connection handler --------------------
Modified: tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java
(original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/coyote/http11/Http11Protocol.java Fri
Jun 3 08:17:02 2011
@@ -518,6 +518,20 @@ public class Http11Protocol
setAttribute("keyAlias", keyAlias);
}
+ /**
+ * When client certificate information is presented in a form other than
+ * instances of {@link java.security.cert.X509Certificate} it needs to be
+ * converted before it can be used and this property controls which JSSE
+ * provider is used to perform the conversion. For example it is used with
+ * the AJP connectors, the HTTP APR connector and with the
+ * {@link org.apache.catalina.valves.SSLValve}. If not specified, the
+ * default provider will be used.
+ */
+ protected String clientCertProvider = null;
+ public String getClientCertProvider() { return clientCertProvider; }
+ public void setClientCertProvider(String s) { this.clientCertProvider = s;
}
+
+
// ----------------------------------- Http11ConnectionHandler Inner Class
protected static class Http11ConnectionHandler implements Handler {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Jun 3 08:17:02 2011
@@ -118,6 +118,10 @@
Reduce level of log message for invalid URL parameters from WARNING to
INFO. (kkolinko)
</fix>
+ <add>
+ <bug>50887</bug>: Enable the provider to be configured when generating
+ SSL certs. Based on a patch by pknopp. (markt)
+ </add>
<fix>
<bug>51073</bug>: Throw an exception and do not start the APR connector
if it is configured for SSL and an invalid value is provided for
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/ajp.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/ajp.xml?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/ajp.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/ajp.xml Fri Jun 3 08:17:02 2011
@@ -248,6 +248,17 @@
(i.e. buffering disabled)</p>
</attribute>
+ <attribute name="clientCertProvider" required="false">
+ <p>When client certificate information is presented in a form other than
+ instances of <code>java.security.cert.X509Certificate</code> it needs to
+ be converted before it can be used and this property controls which JSSE
+ provider is used to perform the conversion. For example it is used with
+ the AJP connectors, the <a href="http.html">HTTP APR connector</a> and
+ with the <a href="valve.html#SSL_Authenticator_Valve">
+ org.apache.catalina.valves.SSLValve</a>.If not specified, the default
+ provider will be used.</p>
+ </attribute>
+
<attribute name="connectionTimeout" required="false">
<p>The number of milliseconds this <strong>Connector</strong> will wait,
after accepting a connection, for the request URI line to be
Modified: tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml?rev=1130936&r1=1130935&r2=1130936&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/config/http.xml Fri Jun 3 08:17:02 2011
@@ -695,6 +695,17 @@
<a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
</attribute>
+ <attribute name="clientCertProvider" required="false">
+ <p>When client certificate information is presented in a form other than
+ instances of <code>java.security.cert.X509Certificate</code> it needs to
+ be converted before it can be used and this property controls which JSSE
+ provider is used to perform the conversion. For example it is used with
+ the <a href="ajp.html">AJP connectors</a>, the HTTP APR connector and
+ with the <a href="valve.html#SSL_Authenticator_Valve">
+ org.apache.catalina.valves.SSLValve</a>. If not specified, the default
+ provider will be used.</p>
+ </attribute>
+
<attribute name="keystoreFile" required="false">
<p>The pathname of the keystore file where you have stored the
server certificate to be loaded. By default, the pathname is
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
