You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Subscriber <su...@sepo.dk> on 2007/05/03 13:35:58 UTC
Handling SSL Client Auth abort
Hi guys,
When a client cancels a SSL Client Auth request, Tomcat ends the request
and it's not possible to "catch" this error - Does anybody have a
solution to this problem?
Regards,
kews
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Handling SSL Client Auth abort
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Subscriber [mailto:subscriber@sepo.dk]
> Subject: Re: Handling SSL Client Auth abort
>
> This is OK - but how do I put custom code into the Tomcat?
Download and modify the source.
> I've already coded a custom realm for the purpose of
> verifying the certificate - could I use this realm to
> catch the exception?
Depends on where the exception is coming from. If it's during the
initial SSL negotiation, I don't thing the realm has been invoked; it's
likely to have been triggered in the connector (but I haven't looked at
the SSL code, so I can't be sure). Look at the stack trace associated
with the exception.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Handling SSL Client Auth abort
Posted by Subscriber <su...@sepo.dk>.
Hi Bill,
Thanks for your answer. I've tried to download the source code for
Tomcat 5.5.23, but I can't find a JIO Connector. Is JIO an abbrevation
for something? Can you point me to a place, where I can find the source
code and possibly make my own patch?
regards,
kews
Bill Barker wrote:
> "Subscriber" <su...@sepo.dk> wrote in message
> news:463EF1B3.2090607@sepo.dk...
>> Hi,
>>
>>>> ...unfortunately I never get that far where I can catch the exception.
>>>> The exception is thrown within Tomcat and in my application code.
>>> (I'll assume there's a rather critical "not" missing from the last
>>> clause in the above sentence.)
>> Of course - NOT in my application code :-)
>>> If the client refuses the certificate or otherwise breaks the connection
>>> during the SSL negotiation, no servlet has been selected to receive the
>>> message, so there's no one to deliver the exception to. The servlet
>>> spec doesn't seem to have any notion of container-oriented error pages,
>>> so I think you're out of luck without custom code inside Tomcat.
>>>
>>> - Chuck
>> This is OK - but how do I put custom code into the Tomcat? I've already
>> coded a custom realm for the purpose of verifying the certificate - could
>> I use this realm to catch the exception?
>>
>
> Nope. The realm only gets called after the client sends the cert. If she
> cancels, then TC just returns an error. You could use a Valve to see if
> this has happened, but the socket has already been shutdown by this time (at
> least with the JIO connector), so you can't send anything back to the
> client.
>
> I seem to remember that there is a patch in BZ for 5.5.x to modify the JIO
> connector to handle this (but I'm too lazy to look it up :). I don't know
> the APR connector well enough to know how to make the same type of
> modification there.
>
>> Regards,
>> kews
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> __________ NOD32 2255 (20070509) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Handling SSL Client Auth abort
Posted by Bill Barker <wb...@wilshire.com>.
"Subscriber" <su...@sepo.dk> wrote in message
news:463EF1B3.2090607@sepo.dk...
> Hi,
>
>>> ...unfortunately I never get that far where I can catch the exception.
>>> The exception is thrown within Tomcat and in my application code.
> >
>> (I'll assume there's a rather critical "not" missing from the last
>> clause in the above sentence.)
> Of course - NOT in my application code :-)
>> If the client refuses the certificate or otherwise breaks the connection
>> during the SSL negotiation, no servlet has been selected to receive the
>> message, so there's no one to deliver the exception to. The servlet
>> spec doesn't seem to have any notion of container-oriented error pages,
>> so I think you're out of luck without custom code inside Tomcat.
>>
>> - Chuck
>
> This is OK - but how do I put custom code into the Tomcat? I've already
> coded a custom realm for the purpose of verifying the certificate - could
> I use this realm to catch the exception?
>
Nope. The realm only gets called after the client sends the cert. If she
cancels, then TC just returns an error. You could use a Valve to see if
this has happened, but the socket has already been shutdown by this time (at
least with the JIO connector), so you can't send anything back to the
client.
I seem to remember that there is a patch in BZ for 5.5.x to modify the JIO
connector to handle this (but I'm too lazy to look it up :). I don't know
the APR connector well enough to know how to make the same type of
modification there.
> Regards,
> kews
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Handling SSL Client Auth abort
Posted by Subscriber <su...@sepo.dk>.
Hi,
>> ...unfortunately I never get that far where I can catch the
>> exception.
>> The exception is thrown within Tomcat and in my application code.
>
> (I'll assume there's a rather critical "not" missing from the last
> clause in the above sentence.)
Of course - NOT in my application code :-)
> If the client refuses the certificate or otherwise breaks the connection
> during the SSL negotiation, no servlet has been selected to receive the
> message, so there's no one to deliver the exception to. The servlet
> spec doesn't seem to have any notion of container-oriented error pages,
> so I think you're out of luck without custom code inside Tomcat.
>
> - Chuck
This is OK - but how do I put custom code into the Tomcat? I've already
coded a custom realm for the purpose of verifying the certificate -
could I use this realm to catch the exception?
Regards,
kews
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Handling SSL Client Auth abort
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Subscriber [mailto:subscriber@sepo.dk]
> Subject: Re: Handling SSL Client Auth abort
>
> ...unfortunately I never get that far where I can catch the
> exception.
> The exception is thrown within Tomcat and in my application code.
(I'll assume there's a rather critical "not" missing from the last
clause in the above sentence.)
If the client refuses the certificate or otherwise breaks the connection
during the SSL negotiation, no servlet has been selected to receive the
message, so there's no one to deliver the exception to. The servlet
spec doesn't seem to have any notion of container-oriented error pages,
so I think you're out of luck without custom code inside Tomcat.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Handling SSL Client Auth abort
Posted by Subscriber <su...@sepo.dk>.
...unfortunately I never get that far where I can catch the exception.
The exception is thrown within Tomcat and in my application code.
regards,
kews
Martin Gainty wrote:
> in the event of failed login you can throw AuthenticationException
> This is a comprehensive example is for SunOne you can use the bits you need
> http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html
> M--
> This email message and any files transmitted with it contain confidential
> information intended only for the person(s) to whom this email message is
> addressed. If you have received this email message in error, please notify
> the sender immediately by telephone or email and destroy the original
> message without making a copy. Thank you.
>
> ----- Original Message ----- From: "Subscriber" <su...@sepo.dk>
> To: "Tomcat Users List" <us...@tomcat.apache.org>
> Sent: Thursday, May 03, 2007 7:35 AM
> Subject: Handling SSL Client Auth abort
>
>
>> Hi guys,
>>
>> When a client cancels a SSL Client Auth request, Tomcat ends the
>> request and it's not possible to "catch" this error - Does anybody
>> have a solution to this problem?
>>
>> Regards,
>> kews
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> __________ NOD32 2236 (20070503) Information __________
>
> This message was checked by NOD32 antivirus system.
> http://www.eset.com
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Handling SSL Client Auth abort
Posted by Martin Gainty <mg...@hotmail.com>.
in the event of failed login you can throw AuthenticationException
This is a comprehensive example is for SunOne you can use the bits you need
http://java.sun.com/developer/technicalArticles/WebServices/appserv8-1.html
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Subscriber" <su...@sepo.dk>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Thursday, May 03, 2007 7:35 AM
Subject: Handling SSL Client Auth abort
> Hi guys,
>
> When a client cancels a SSL Client Auth request, Tomcat ends the request
> and it's not possible to "catch" this error - Does anybody have a
> solution to this problem?
>
> Regards,
> kews
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org