On 06/08/2014 14:54, Jean-Louis MONTEIRO wrote: > Hello guys, > > I'm currently facing an issue with the BaseAuthenticator. > Before opening a issue on the bug tracker, I'd like to get your opinion > guys.
The members of this list include both men and women. Please use a more inclusive term than "guys". > The use case is simple: use an HTTPS tomcat connector with mutual > authentication (CLIENT-CERT). > > It does not involve at all any front serveur like Apache HTTPD. > > Everything works fine until you want to add the SSLAuthenticator valve with > the preemptive mode. > At the end of the invoke method (AuthenticatorBase), the presence of the > X509 certificate is checked under the usual key (ie. > request.getAttribute(Globals.CERTIFICATES_ATTR)). > > This works fine when using an Apache HTTPD front, but does not work with > tomcat SSL connectors cause the request is not populated. > > If you check the Authenticate of the SSLAuthenticator that should be invoke > is a certificate is found, if nothing is found in the request under the > usual key, the following is done before trying again > > request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null); > > Roughly and simply speaking, the certificat is going to be extracted from > the coyote request and the entry in the HTTP request is populated. > > I'm wondering why it's not done also in the AuthenticatorBase? An oversight. > It makes it impossible to use the preemptive mode with the SSLAuthenticator > valve. > > I think creating a getRequestCertificate() method in the AuthenticatorBase > that wraps up the logic of calling or not the coyote request would do the > trick. Then it's just a matter of using it in the invoke method > (AuthenticatorBase) or in the authenticate (SSLAuthenticator). Agreed. > Feedback welcome so that I can create a JIRA and submit a patch if you want. Patches welcome (via Bugzilla, Tomcat doesn't use JIRA). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
