Tomcat 10.x uses the jakarta versions of the API, and I believe all the
attributes have been renamed:
"javax.servlet.request.X509Certificate" ->
"jakarta.servlet.request.X509Certificate"
Give that a quick try...
On Tue, Feb 25, 2025 at 4:45 PM Chris Evans <chris.ev...@astrion.us> wrote:
>
> Hello,
>
> I need assistance with accessing client certificates from a servlet. This
> is not a servlet code question but a configuration question. The call to:
> request.getAttribute("javax.servlet.request.X509Certificate");
>
> is not returning any certificates. The last time that I needed to do this
> was Tomcat 7 and a lot has changed.
>
> When connecting with a browser, a trusted connection is established.
> Javax.net.debug output shows my client certificate and a complete
> chain have been accepted.
>
> I have also limited the TLS version to TSSv1.2.
>
> What have I missed?
>
> Thanks,
>
> Chris Evans
>
> OS: Ubuntu 22-04
> Tomcat Version: 10.1.36
>
> TLS Logging:
> env | grep OPT
> CATALINA_OPTS=-Djavax.net.debug=ssl,handshake
>
> Connector Configuration:
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Nio2Protocol"
>
> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> maxParameterCount="1000"
> scheme="https"
> xmlValidation="true"
> maxThreads="150"
> SSLEnabled="true"
> secure="true"
> >
> <SSLHostConfig
> certificateVerificationDepth="4"
> truststoreFile="/home/ubuntu/tomcat/-REDACTED-.jks"
> truststorePassword="-REDACTED-"
> protocols="TLSv1.2"
> certificateVerification="required"
>
> >
> <Certificate
> certificateFile="/home/ubuntu/tomcat/serverCert.pem"
>
> certificateChainFile="/home/ubuntu/tomcat/serverChain.pem"
>
> certificateKeyFile="/home/ubuntu/tomcat/rsaKey.pem"
> type="RSA" />
> </SSLHostConfig>
> </Connector>
>
> Java:
> @WebServlet("/hello")
> public class HelloServlet extends HttpServlet {
> @Override
> protected void doGet(HttpServletRequest request, HttpServletResponse
> response)
> throws ServletException, IOException {
> System.out.println("HelloServlet");
> response.setContentType("text/html");
> response.getWriter().println("<h1>Hello, World!</h1>");
> // Retrieve client certificate
> X509Certificate[] certs = (X509Certificate[])
> request.getAttribute("javax.servlet.request.X509Certificate");
>
> if (certs != null && certs.length > 0) {
> response.getWriter().println("Client Cert Subject: " +
> certs[0].getSubjectX500Principal());
> } else {
> response.getWriter().println("No Client Certificate Found.");
> }
>
> }
> }
>
> WARNINGS:
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.816 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: server_name
> javax.net.ssl|DEBUG|21|https-jsse-nio2-8443-exec-2|2025-02-25 20:34:04.817
> UTC|SSLExtensions.java:219|Ignore unavailable extension: max_fragment_length
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.817 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: status_request
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.818 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: supported_groups
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.818 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: ec_point_formats
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.821 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: application_layer_protocol_negotiation
> javax.net.ssl|DEBUG|21|https-jsse-nio2-8443-exec-2|2025-02-25 20:34:04.821
> UTC|SSLExtensions.java:219|Ignore unavailable extension: status_request_v2
> javax.net.ssl|WARNING|21|https-jsse-nio2-8443-exec-2|2025-02-25
> 20:34:04.823 UTC|SSLExtensions.java:227|Ignore impact of unsupported
> extension: extended_master_secret
>
>
> PROPRIETARY INFORMATION. This email may contain proprietary and privileged
> material for the sole use of the intended recipient. Any review or
> distribution of such material by others is strictly prohibited. If you are
> not the intended recipient please contact the sender and delete all copies.
>
