well... I'm stomped... I think this one is a question for Craig! As I said, I'm not familiar with the TC 4.0 source. Do you have any idea why javax.servlet.request.X509Certificate is not showing up in the Attribute list? Regards, Stefan. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 15. desember 2000 14:30 To: [EMAIL PROTECTED] Cc: Stefán F. Stefánsson Subject: Réf. : RE: X509 client certificate hello stefan, I prefere having two answer than any, so thank you for you help but... when I try with tomcat 4.0-m5 to sniffe my https request, I obtain this Request attributes : Request attributes: filters.ExampleFilter.SERVLET_MAPPED = InvokerFilter(ApplicationFilterConfig[name=Servlet Mapped Filter, filterClass=filters.ExampleFilter]) javax.servlet.request.key-size = 40 filters.ExampleFilter.PATH_MAPPED = InvokerFilter(ApplicationFilterConfig[name=Path Mapped Filter, filterClass=filters.ExampleFilter]) javax.servlet.request.cipher-suite = SSL_RSA_EXPORT_WITH_RC4_40_MD5 ... Request Is Secure: true Obviously when I try to extract the javax.servlet.request.X509Certificate object with this command : (java.security.cert.X509Certificate)request.getAttribute( "javax.servlet.request.X509Certificate" ) I obtain an null object. Any another idea ? Best regards Jérôme Stefán F. Stefánsson <[EMAIL PROTECTED]> 14/12/00 09:58 Pour : <[EMAIL PROTECTED]> cc : Objet : RE: X509 client certificate woops... Seems like your mail has already been answered by Craig. As he said... you aparantly need to upgrade to TC 4.0 m4 at least. Regards, Stefan Freyr. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: 13. desember 2000 15:30 To: Stefán F. Stefánsson Subject: RE: X509 client certificate Hi Stefan I try to extract certicate to my request like you say in your mail but I have an exception because object return by request.getAttribute( "javax.servlet.request.X509Certificate" ) method wasn't type of java.security.cert.X509Certificate but [Ljava.security.cert.X509Certificate; log file : 2000-12-13 16:21:10 StandardWrapperValve[org.apache.catalina.INVOKER.SnoopServlet]: Servlet.service() for servlet org.apache.catalina.INVOKER.SnoopServlet threw exception java.lang.ClassCastException: [Ljava.security.cert.X509Certificate; at SnoopServlet.doGet(SnoopServlet.java:65) at javax.servlet.http.HttpServlet.service(HttpServlet.java:740) at javax.servlet.http.HttpServlet.service(HttpServlet.java:853) at org.apache.catalina.core.ApplicationFilterWrapper.doFilter(ApplicationFi lterWrapper.java:159) at filters.ExampleFilter.doFilter(ExampleFilter.java:136) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv e.java:258) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:936) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv e.java:160) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authenticator Base.java:311) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve.ja va:152) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:934) at org.apache.catalina.core.StandardContext.invoke(StandardContext.java:167 4) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java :161) at org.apache.catalina.valves.ValveBase.invokeNext(ValveBase.java:242) at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:343 ) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:934) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve. java:159) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:936) at org.apache.catalina.connector.http.HttpProcessor.process(HttpProcessor.j ava:787) at org.apache.catalina.connector.http.HttpProcessor.run(HttpProcessor.java: 904) at java.lang.Thread.run(Thread.java:484) Very strange but are you an idea about the problem? Config : Apache Tomcat (v4.0-m1) Best regards Jérôme Camilleri Bull France You wrote : Hi Alexandre. I'm not sure I fully understand your question but let me see if I can help you at all. The addSecureEndpoint method of EmbededTomcat used to be just like the one you described below. I added the addSecureEndpoint(int port, InetAddress addr, String hostname, String keyfile, String keypass, boolean clientAuth) to be able to force the client to show a certificate for logging in. I want to answer you in a few steps, so please bear with me. 1. Now, first of all I think you're going a little bit too long of a way using the addSecureEndpoint. Wouldn't it be easier for you to call the method I described above (the addSecureEndpoint(int, InetAddress, String, String, String, boolean)) instead of calling the original one (the addSecureEndpoint(int, InetAddress, String, String, String)) and changing the code in that? The modifications to the original addSecureEndpoint were for backwards compatability. In other words, the original method, addSecureEndpoint added an endpoint with no client authentication. I added a method that provides means for getting client authentication by the means of client certificates, and modified the original call to call my method with client authentication == false. Hence, maintaining backwards compatability. I would say you should much rather change the code in tomcat to what it was before and call addSecureEndpoint(int, InetAddress, String, String, String, boolean) in EmbededTomcat directly instead. That way you won't have to recompile Tomcat every time you change your mind about requiring a client certificate in your application. 2. Now for your problem at hand ;o). I don't know exactly how the getUserPrincipal method in HttpServletRequest class is supposed to work but what I got from JavaDoc was: Returns a java.security.Principal object containing the name of the current authenticated user. If the user has not been authenticated, the method returns null. And from the JavaDoc for java.security.Principal, I got: This interface represents the abstract notion of a principal, which can be used to represent any entity, such as an individual, a corporation, and a login id. Now. You would think that Tomcat should serve up the DN of the client certificate when a user calls request.getUserPrincipal but according to you, it doesn't. I don't know if there are any reasons for that although I doubt it. I would think this is an oversight and should prefferably be fixed. That shouldn't be too much trouble. The ServletAPI Specs are not all that clear about this issue. I would think that getUserPrincipal works for other types of authentication (the username, password type). I'll file in a bug report on this matter after I finish this ;o) Now for your solution. What you can do is call the method request.getAttribute( "javax.servlet.request.X509Certificate" ). This will return a java.security.cert.X509Certificate with all the information you could possibly want (well... almost) on your client. This include the distinguished name of the client by using java.security.cert.X509Certificate.getSubjectDN(). I hope this helps! Regards, Stefan.