Peter,
I am able to do this with Apache 1.3.19/Tomcat
3.3/mod_jk/mod_ssl 2.8.2.
There are no Tomcat specific configuration items to
worry about. You do have some mod_ssl directives to
add to your httpd.conf though.
You may already be doing this, but you need to specify
the URLs that should be protected by a client
certificate. For example:
# These directives force the user to present a client
cert to access the certificate extraction servlet
<Location /app/fetchcert>
SSLVerifyClient optional_no_ca
SSLOptions +StdEnvVars +ExportCertData
</Location>
Then in your servlet (the "fetchcert" servlet in the
example), you can access the certificate with code
like:
try
{
X509Certificate cert = null;
String certificate = null;
/* Tomcat servlet engines expose the client
certificate via the
javax.servlet.request.X509Certificate attribute.
Tomcat 3.2.3
exposes the certificate as a string. Tomcat 3.3
exposes the
certificate as an array of X509Certificate objects. */
Object obj =
request.getAttribute("javax.servlet.request.X509Certificate");
if (obj != null) {
if (obj instanceof String) {
certificate = (String) obj;
} else if (obj instanceof X509Certificate[]) {
/* the client cert is the first in the array */
cert = ((X509Certificate[]) obj)[0];
debug("found cert array with length: " +
((X509Certificate[])obj).length);
}
}
} catch ...
I haven't worked with Tomcat 4.0, but I think it's
likely that it exposes the client cert array in the
same way that Tomcat 3.3 does. It's the first place
to start...
Orion
--- Peter Buus <[EMAIL PROTECTED]> wrote:
> Hi,
>
> I have the following setup:
>
> Apache 1.3.22+mod_ssl 2.5.8+mod_webapp1.1 talking to
> a Tomcat 4.0.1 via a
> warp connector.
>
> The Apache is requiring client certificates on a
> given URL which is then
> sent to Tomcat via warp.
> My question is now, how do I retrieve the SSL
> variables (eg.
> SSL_CLIENT_CERT) from a servlet running on the
> Tomcat ?
>
> Ideally, the SSL_CLIENT_CERT should be passed to
> Tomcat as a simple "dumb"
> request attribute, since everything to do with
> authentication is handled by
> my Apache+mod_ssl.
> In case you're wondering why I need the SSL vars
> exposed in Tomcat, it needs
> to be sent further on to another backend system.
> Therefore I do not
> need/require Tomcat to do any sort of authentication
> of the client cert, but
> retrieve it as a request attribute.
>
> I've tried various combinations of server/web.xml
> configs, but it seems that
> there is very little documentation which is
> applicable for my setup.
>
> Thanks in advance!
>
> --
> To unsubscribe:
> <mailto:[EMAIL PROTECTED]>
> For additional commands:
> <mailto:[EMAIL PROTECTED]>
> Troubles with the list:
> <mailto:[EMAIL PROTECTED]>
>
__________________________________________________
Do You Yahoo!?
Great stuff seeking new owners in Yahoo! Auctions!
http://auctions.yahoo.com
--
To unsubscribe: <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>
