https://issues.apache.org/bugzilla/show_bug.cgi?id=56825
--- Comment #9 from jlmonteiro <jlmonte...@tomitribe.com> --- Hi, (In reply to Konstantin Kolinko from comment #8) > Re-reviewing the changes in Tomcat 7 (revisions r1617447 r1620827 and > r1622328 ) I have a question. > > There exists ActionCode.REQ_SSL_ATTRIBUTE. > > The method org.apache.catalina.connector.Request.getAttribute() does > > "if (isSSLAttribute(name)) > coyoteRequest.action(ActionCode.REQ_SSL_ATTRIBUTE, ...)" > > This action populates the "javax.servlet.request.X509Certificate" attribute > (aka Globals.CERTIFICATES_ATTR). Right the getAttribute invokes ActionCode.REQ_SSL_ATTRIBUTE, but the main difference between REQ_SSL_ATTRIBUTE and REQ_SSL_CERTIFICATE is the following invocation: sslO = sslSupport.getPeerCertificateChain(<force>); REQ_SSL_ATTRIBUTE --> force is false REQ_SSL_CERTIFICATE --> force is true REQ_SSL_ATTRIBUTE --> the certificate entry is never populated cause the certificate chain is never extracted (in the use case above) > > I mean that it is effectively equivalent to the new API of using > ActionCode.REQ_SSL_CERTIFICATE with parameter Boolean.FALSE. > > > When using Tomcat SSL coyote connector, the request does not by default > > contain > > the certificate chain under the key javax.servlet.request.X509Certificate > > > > The following coyote action must be invoked in order to extract the > > certificate > > chain and enrich the request under the right key. > > Is the above really true? Why was the old code not working properly? Was all > this fix really needed? Was the new API really needed? I created the test to reproduce before proposing a fix. So if now it does not fail anymore, there must be something else. Did the following with this revision $ svn info Path: . Working Copy Root Path: /Users/jlmonteiro/devs/asf/tomcat/tc7.0.x/trunk URL: http://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk Repository Root: http://svn.apache.org/repos/asf Repository UUID: 13f79535-47bb-0310-9956-ffa450edef68 Revision: 1616257 Node Kind: directory Schedule: normal Last Changed Author: markt Last Changed Rev: 1615951 Last Changed Date: 2014-08-05 17:50:13 +0200 (Mar, 05 aoĆ» 2014) Kept the test case portion of my patch and it actually still fails. So either my test is wrong which is definitely possible, or I missed something. What do you think? -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
