You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Colin Freas <ce...@georgetown.edu> on 2001/08/27 23:10:41 UTC

Tomcat & SSL Encryption Level

I wrote this class some time ago to determine the security level of user
connections before allowing them to login.

It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
working.

Is there some relatively painless way of accessing the key length of SSL
connections?

Thanks,
Colin Freas

---

import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;

public abstract class secureHttpServlet extends HttpServlet {

  String LoginURL, SecurityTooLowURL, BadProtocolURL;

  public void init() {
    //  Set default URLs for possible redirection.
    BadProtocolURL = "badProtocol.html";
    SecurityTooLowURL = "securityTooLow.html";
    LoginURL = "login.html";
  }

  //  secureXXX should be overridden to provide desired behavior.
  public void secureGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
  }

  public final void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
    Object ks = req.getAttribute("javax.servlet.request.key-size");
    HttpSession session = req.getSession(false);
    //  Check that https protocol used...
    if (req.getScheme().equals("https")) {
      //  Ensure at least 128-bit encryption used...
      if ((ks != null) && (Integer.parseInt(ks.toString()) >= 128)) {
        //  Check login status...
        if (session != null && session.getValue("s") != null) {
          secureGet(req,res);
        }
        else {
          res.sendRedirect(LoginURL);
        }
      }
      else {
        res.sendRedirect(SecurityTooLowURL);
        System.out.println("Security level: " + ks.toString());
      }
    }
    else {
      res.sendRedirect(BadProtocolURL);
    }
  }
}

Re: Tomcat & SSL Encryption Level

Posted by "Craig R. McClanahan" <cr...@apache.org>.


On Mon, 27 Aug 2001, Colin Freas wrote:

> Date: Mon, 27 Aug 2001 17:10:41 -0400
> From: Colin Freas <ce...@georgetown.edu>
> Reply-To: tomcat-user@jakarta.apache.org
> To: Tomcat Users List <to...@jakarta.apache.org>
> Subject: Tomcat & SSL Encryption Level
>
>
> I wrote this class some time ago to determine the security level of user
> connections before allowing them to login.
>
> It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
> working.
>
> Is there some relatively painless way of accessing the key length of SSL
> connections?
>

In Servlet 2.3 (i.e. Tomcat 4.0) there is -- there's a new request
attribute that returns the key size:

  javax.servlet.request.cipher_suite

Unfortunately, this won't help you on Tomcat 3.2.3.

> Thanks,
> Colin Freas
>

Craig