Hi, Bill: I have a question regarding your comment on the CertificatesValve should not be used any more...
My understanding of how the CertificatesValve is used is following: 1. The clientAuth attribute in server.xml only determines whether the Tomcat server by default will require client certificate to authenticate (the default is false). 2. When a web app (servlet/jsp) that requires client auth (<auth-method>CLIENT-CERT</auth-method>) is deployed in the Tomcat server, Tomcat will install a CertificatesValve for the context of this web app (regardless what Connector is used to process https) 3. When a client opens a HttpsURLConnection to the protected web resource, the CertificatesValve is invoked. And all it does is to recognized that client auth is needed -- so it invalidates the current socket session and forces a re-handshake with the client -- hence the client authentication happens. It seems to me that the JSSESocketFactory only takes care of the first handshake. If Tomcat does not support a re-handshake, then how can Tomcat dynamically discover that a client needs to send it's certificate? Can someone start the Tomcat server with clientAuth=false, but access a URI that is protected by CLIENT-CERT? If yes, then I think a re-handshake is a must. Please lemme know if I am missing something here? Thanx so much for your help! Q^2 [EMAIL PROTECTED] wrote: > billbarker 2002/09/18 22:09:28 > > Modified: util/java/org/apache/tomcat/util/net JSSESocketFactory.java > Log: > Fix problem with JSSE not honoring "clientauth". > > Now there should be now reason for anyone to believe that CertificatesValve should >be used ever with the CoyoteConnector. :-) > > Revision Changes Path > 1.3 +16 -2 >jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESocketFactory.java > > Index: JSSESocketFactory.java > =================================================================== > RCS file: >/home/cvs/jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/JSSESocketFactory.java,v > retrieving revision 1.2 > retrieving revision 1.3 > diff -u -r1.2 -r1.3 > --- JSSESocketFactory.java 18 Sep 2002 15:10:04 -0000 1.2 > +++ JSSESocketFactory.java 19 Sep 2002 05:09:28 -0000 1.3 > @@ -161,7 +161,18 @@ > > //determine whether we want client authentication > // the presence of the attribute enables client auth > - clientAuth = null != (String)attributes.get("clientauth"); > + String clientAuthStr=(String)attributes.get("clientauth"); > + if(clientAuthStr != null){ > + if(clientAuthStr.equals("true")){ > + clientAuth=true; > + } else if(clientAuthStr.equals("false")) { > + clientAuth=false; > + } else { > + throw new IOException("Invalid value '" + > + clientAuthStr + > + "' for 'clientauth' parameter:"); > + } > + } > > String keyPass=(String)attributes.get("keypass"); > if( keyPass==null) keyPass=defaultKeyPass; > @@ -224,11 +235,14 @@ > public Socket acceptSocket(ServerSocket socket) > throws IOException > { > + SSLSocket asock = null; > try { > - return socket.accept(); > + asock = (SSLSocket)socket.accept(); > + asock.setNeedClientAuth(clientAuth); > } catch (SSLException e){ > throw new SocketException("SSL handshake error" + e.toString()); > } > + return asock; > } > > /** Set server socket properties ( accepted cipher suites, etc) > > > > > -- > To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>