"Alex Tang" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> On Tue, Feb 11, 2003 at 10:42:33PM -0800, Bill Barker wrote:
> >
> > "Alex Tang" <[EMAIL PROTECTED]> wrote in message
> > [EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> > > Hi folks.
> > >
> > > I was wondering if it's possible to get client certificate information
> > > from tomcat (3.3.1) when running STANDALONE (e.g. NOT using mod_jk or
an
> > > external webserver).
> > >
> > > I can setup tomcat so that it requires client-auth properly, however I
> > > don't seem to be able to programmatically get at any of the
certificate
> > > information.
> > >
> >
> > This sounds like you've found the clientauth="true" attribute on the
> > Http10Connector element. This causes Tomcat to requre a client cert for
> > each SSL request (unlike TC 4.x, it's an all-or-nothing setting).
>
> Hi bill. Thanks for your response.
>
> Yes, i did find "clientauth='true'". It does make my tc 3.3.1 instance
> require a client-cert for everything.
>
> > You should then be able to access the top-level cert (all that can be
> > exposed under the 2.2 Servlet-spec :() via
> > 'request.getAttribute("javax.servlet.request.X509Certificate")'. As per
> > section 5.7 of the 2.2 spec, this will be of type
> > java.security.cert.X509Certificate.
> >
> > I haven't tried this with the Http10Connector for a very long time (it
seems
> > to work fine with the 3.3.2-dev CoyoteConnector). If you are still
having
> > problems, please report it to http://nagoya.apache.org/bugzilla/.
>
>
> OK, this is getting more bizarre (well, for me at least). Orignally, i
> was testing using SnoopServlet, and looking the values of "Request
> attributes:" (which just iterating over the Enumeration returned from
> "request.getAttributeNames()").
>
> When using apache and mod_jk, i am getting the attributes:
>
> javax.servlet.request.cipher_suite
> javax.servlet.request.X509Certificate
> javax.servlet.request.ssl_session
>
> (Thanks to your reference, I realize that only the X509Certificate
> attribute is required by the servlet 2.2 spec.)
>
> When running in tomcat standalone, i get an empty Enumeration returned
> from "request.getAttributeNames()". I thought that the cert information
was
> not available. However, if i do
>
> request.getAttribute ( "javax.servlet.request.X509Certificate" );
>
> a valid X509Certificate array is returned.
>
> Why is this attribute not showing up when doing
> "request.getAttributeNames()"? A sample servlet and the response i'm
> receiving is included below.
>
> Thanks again.
Because it is expensive to compute for people that don't care about it, this
attribute is a lazy-evalution one. It only shows up after you request it.
There is not (currently) a method in the mod_jk protocol to call-back for
the SSL attributes, so it collects and sends them all (despite the cost :).
That's why you see it using mod_jk.
>
> ...alex...
>
>
> FYI: Here's a test servlet (basically a modified SnoopServlet):
>
> --------------------------------------------------------------------------
-
> import java.io.IOException;
> import java.io.PrintWriter;
> import java.util.*;
> import javax.servlet.*;
> import javax.servlet.http.*;
> import java.security.cert.*;
>
> public class TestServlet extends HttpServlet {
>
> public void doGet(HttpServletRequest request, HttpServletResponse
response)
> throws ServletException, IOException
> {
> PrintWriter out = response.getWriter();
> response.setContentType("text/plain");
>
> out.println("Test Servlet");
> out.println();
>
> out.println("Dumping Request attributes:");
> Enumeration e = request.getAttributeNames();
>
> while (e.hasMoreElements()) {
> String key = (String)e.nextElement();
> Object value = request.getAttribute(key);
> out.println(" " + key + " = " + value);
> }
>
>
> out.println("END Request attributes:");
> out.println();
>
> out.println("Dumping request attribute " +
> "javax.servlet.request.X509Certificate" );
>
> X509Certificate[] certs = (X509Certificate[])request.getAttribute
(
> "javax.servlet.request.X509Certificate" );
> if ( certs != null ) {
> for ( int i = 0; i < certs.length; i++ ) {
> out.println ( " CERT " + i + ": " +
> certs[i].getSubjectDN().getName() );
> }
> }
> out.println("END request attribute " +
> "javax.servlet.request.X509Certificate" );
> }
> }
> --------------------------------------------------------------------------
-
>
>
> When I use tomcat 3.3.1 in standalone, i get the following results:
>
> --------------------------------------------------------------------------
-
> Test Servlet
>
> Dumping Request attributes:
> END Request attributes:
>
> Dumping request attribute javax.servlet.request.X509Certificate
> CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
> END request attribute javax.servlet.request.X509Certificate
> --------------------------------------------------------------------------
-
>
> And for comparison, when i use apache and mod_jk, i get the following:
>
>
>
> --------------------------------------------------------------------------
-
> Test Servlet
>
> Dumping Request attributes:
> javax.servlet.request.cipher_suite = RC4-MD5
> javax.servlet.request.X509Certificate =
[Ljava.security.cert.X509Certificate;@203c31
> javax.servlet.request.ssl_session =
77971778D91F8A7AD58E765BDD7C3C1BD1AA05ADCC5B279BC5C7845F14AAE915
> END Request attributes:
>
> Dumping request attribute javax.servlet.request.X509Certificate
> CERT 0: CN=Alex Tang, OU=People, O=Funkware, C=US
>
> --------------------------------------------------------------------------
-
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
