I think there is a request property for this. X509Certificate[] cert = request.getProperty("javax.servlet.request.X509Certificate");
This property has an array of X509Certificates because you will be presented with a certificate chain, not just a single certificate. To forward this certificate to another request, I think you will need to do the following: Create a temporary keystore containing the client certificates Create a KeyManagerFactory that uses this keystore Create an SSLSocketFactory that uses your KeyManagerFactory Set the default SSLSocketFactory for Https Url Connections This is quite complicated, so maybe someone else knows a better way. I reckon it should work though. Regards, Andy -----Original Message----- From: Rodrigo Ruiz To: Tomcat Users List Sent: 21/11/2002 14:45 Subject: Retrieving SSL client certificates from the Request Hi all, Can I retrieve the SSL client certificate from an incoming request and use it in another one? Let me explain the background: We have implemented a server that only accepts SOAP requests. The purpose of this server is to act as a job dispatcher for a cluster of N machines. The jobs to execute are defined by the users, so we designed it to have a public API (accesed via SOAP calls), with which we can define jobs, upload executable files and resources and control execution in the cluster. Currently, it uses basic authentication for all connections, but we are planning to pass to a two-way SSL authentication model in a short time. Users access this server through different front-ends, ones more specialized than others. Some of them are themselves web applications. We want our front-end to capture the client certificate from a request, and use it to authenticate itself in its calls to our SOAP server. We need this capability, because each user can have different permissions, and we don't want all connections through the front-end to be made with a common certificate. Also, we want to avoid the need to "register" the clients in our front-end, as it should act as a simple proxy to our soap service. Is this possible from a servlet? We are now using Tomcat 3.3.1, and migrating to 4.1.12 for client certificate authentication support. Any help would be appreciated -- GRIDSYSTEMS Rodrigo Ruiz Aguayo Parc Bit - Son Espanyol Analista Programador 07120 Palma de Mallorca [EMAIL PROTECTED] Baleares - Espaņa Tel:+34-971435085 www.gridsystems.com Fax:+34-971435082 -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>