----- Original Message ----- From: "Mark Thomas" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, August 11, 2003 3:23 PM Subject: RE: Bug 19867
> I have been looking into > > http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19867 > > and have a couple of questions. > > The error seen in this report is a result of specifying CLIENT-CERT > authentication without specifying a user-data-constraint. This causes a NPE > because the sslSupport attribute of the http11Processor object is null. > > I have looked at the servlet spec (2.3 and the draft of 2.4) and, based on the > 2.4 draft, the user-data-constraint is not mandatory (end of SRV.12.8) and the > use of CLIENT-CERT requires SSL (SRV.12.5.4). With this in mind, my first > question is: > > 1. If a user wants to use CLIENT-CERT should they have to specify a > user-data-constraint or should tomcat automatically apply SSL to the resources > in the web resource collection specified in the security constraint when the > auth constraint is CLIENT-CERT? Having read the spec, I can't figure out what > should happen. Having CLIENT-CERT imply a transport-guarantee sounds like a nice idea. However, it would violate section 12.8 of the current draft of the 2.4 spec. If the spec changes, then we could add it as a feature. If you feel strongly about this, then [EMAIL PROTECTED] is the place to write. > > Regardless of the answer to the above, if CLIENT-CERT is specified, > user-data-constraint is set to CONFIDENTIAL and there are no valid certs on the > client a number of exceptions get thrown by tomcat. This brings me to my > remaining question: > > 2. Not having a matching certificate is equivalent to getting the password > wrong. Therefore, shouldn't tomcat behave in a similar way (no exceptions, > return a 403 to the client) rather than throwing the exceptions? SSL doesn't work that way. If the client's cert can't be validated, then the connection is just dropped, so there is no way to send anything back to the client. If the certificate is valid, but not a known user, then Tomcat treats it the same way that it would Basic or Form. This isn't that big of an issue, for the simple reason that browsers generally don't give you the option to re-select a cert once you've chosen one. You're stuck having to close the browser and start all over again. > > With some guidance on the above, assuming that some code changes will be > required, I'll set about writing a patch. > > Note: Although the bug is reported against 4.1.24, the same behaviour is seen > with the latest 4.x.x and 5.x.x > > Regards, > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >
This message is intended only for the use of the person(s) listed above as the intended recipient(s), and may contain information that is PRIVILEGED and CONFIDENTIAL. If you are not an intended recipient, you may not read, copy, or distribute this message or any attachment. If you received this communication in error, please notify us immediately by e-mail and then delete all copies of this message and any attachments. In addition you should be aware that ordinary (unencrypted) e-mail sent through the Internet is not secure. Do not send confidential or sensitive information, such as social security numbers, account numbers, personal identification numbers and passwords, to us via ordinary (unencrypted) e-mail.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
