I wrote this class some time ago to determine the security level of user
connections before allowing them to login.
It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
working.
Is there some relatively painless way of accessing the key length of SSL
connections?
Thanks,
Colin Freas
---
import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;
public abstract class secureHttpServlet extends HttpServlet {
String LoginURL, SecurityTooLowURL, BadProtocolURL;
public void init() {
// Set default URLs for possible redirection.
BadProtocolURL = "badProtocol.html";
SecurityTooLowURL = "securityTooLow.html";
LoginURL = "login.html";
}
// secureXXX should be overridden to provide desired behavior.
public void secureGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
}
public final void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
Object ks = req.getAttribute("javax.servlet.request.key-size");
HttpSession session = req.getSession(false);
// Check that https protocol used...
if (req.getScheme().equals("https")) {
// Ensure at least 128-bit encryption used...
if ((ks != null) && (Integer.parseInt(ks.toString()) >= 128)) {
// Check login status...
if (session != null && session.getValue("s") != null) {
secureGet(req,res);
}
else {
res.sendRedirect(LoginURL);
}
}
else {
res.sendRedirect(SecurityTooLowURL);
System.out.println("Security level: " + ks.toString());
}
}
else {
res.sendRedirect(BadProtocolURL);
}
}
}
