You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gael Abadin <ga...@imatia.com> on 2016/02/01 10:16:56 UTC
Re: client ssl renegotiation after invalidating session
Thank you very much for your reply,
I tried your solution on APR, NIO and BIO connectors but it seems my
problem comes from somewhere else.
>From what I could gather, it is a matter of browser SSL credentials store
mechanism, and it doesn't seem to have a solution yet (even the suggested
window.crypto.logout() for Firefox doesn't work for me. Firefox doesn't
seem to implement that function on its latest version):
http://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin
:
http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser
For the time being I'll just warn the users that they are not being truly
logged out until they close all browser windows.
2016-01-29 18:56 GMT+01:00 George Stanchev <Gs...@serena.com>:
>
> <quoted mail>
> -----Original Message-----
> From: Gael Abadin [mailto:gael.abadin@imatia.com]
> Sent: Friday, January 29, 2016 10:33 AM
> To: Tomcat Users List
> Subject: client ssl renegotiation after invalidating session
>
> I want to invalidate the client ssl cert authentication after the user
> logs out of my application.
>
> There is nothing about it in the docs and google just digs out this
> unanswered old thread from this users list in 2007:
>
>
> https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3C306958.89260.qm@web36804.mail.mud.yahoo.com%3E
>
> Does anybody know if there is any way to do it?
> </quoted mail>
>
> Depends what your version of Tomcat is. Since we skipped from 5.5 to 7.0 I
> don't know if 6 has this attribute. For 5.5 we used reflection to dig into
> the Request object and dig the SSLSessionManager which was kind of annoying
> since things shifted underground and we had to readjust for different
> releases of 5.5
>
>
>
> private static boolean
> invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) {
> String serverInfo =
> FedSrvServlet.getServletContainerServerInfo();
>
> if (serverInfo == null) {
> log.error("Failed to determine server version");
> return false;
> }
>
> boolean compatibleTomcat =
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("7.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("8.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("9.0") > 0);
>
> if (compatibleTomcat) {
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager)
> Method invalidateSessionMethod = null;
> Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) {
> try {
> invalidateSessionMethod =
> mgr.getClass().getMethod("invalidateSession");
> if (invalidateSessionMethod ==
> null) {
> log.error("Failed to reset
> SSL session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
> }
>
> invalidateSessionMethod.setAccessible(true);
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: " + t.getMessage(), t);
> }
>
> // Invalidate the session
> try {
>
> invalidateSessionMethod.invoke(mgr);
> log.trace("SSL session reset
> successfully");
> return true;
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: invalidateSession() threw exception: " + t.getMessage(), t);
> }
> } else {
> log.error("Failed to reset SSL session:
> httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\") call
> failed to return session manager object");
> }
> }
>
> return false;
> }
>
> Hope this helps.
>
> George
>
--
.
Alberto Gael Abadin Martinez
Junior Developer
[image: IMATIA]
www.imatia.com
*Tel: *+34 986 342 774 ext 4531
*Email: *gael.abadin@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
España
.
<http://www.linkedin.com/company/imatia-innovation>
<http://www.youtube.com/imatiainnovation>
.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener información confidencial, siendo para uso exclusivo del
destinatario. Queda prohibida su divulgación copia o distribución a
terceros sin la autorización expresa del remitente. Si usted ha recibido
este mensaje erróneamente, se ruega lo notifique al remitente y proceda a
su borrado. Gracias por su colaboración.
This message, and in the case of any file annexed to it, can have
confidential information, and it is exclusively for the use of the
addressee of the message. It is strictly forbidden to spread a copy or
distribute to third parties, without the express order of the sender. If
you have received this message mistakenly, we request you to notify to the
sender, and please be sure to erase it. Thank you for your collaboration.
.
RE: client ssl renegotiation after invalidating session
Posted by George Stanchev <Gs...@serena.com>.
Yeah I forgot to mention that this works for NIO and BIO connectors. Not sure about the APR. And been there in regards to the caching in the browser. There is nothing I have found either...
George
-----Original Message-----
From: Gael Abadin [mailto:gael.abadin@imatia.com]
Sent: Monday, February 01, 2016 2:17 AM
To: Tomcat Users List
Subject: Re: client ssl renegotiation after invalidating session
Thank you very much for your reply,
I tried your solution on APR, NIO and BIO connectors but it seems my problem comes from somewhere else.
From what I could gather, it is a matter of browser SSL credentials store mechanism, and it doesn't seem to have a solution yet (even the suggested
window.crypto.logout() for Firefox doesn't work for me. Firefox doesn't seem to implement that function on its latest version):
http://stackoverflow.com/questions/10487205/https-client-certificate-logout-relogin
:
http://stackoverflow.com/questions/10229027/how-to-trigger-ssl-rehandshake-on-a-web-browser
For the time being I'll just warn the users that they are not being truly logged out until they close all browser windows.
2016-01-29 18:56 GMT+01:00 George Stanchev <Gs...@serena.com>:
>
> <quoted mail>
> -----Original Message-----
> From: Gael Abadin [mailto:gael.abadin@imatia.com]
> Sent: Friday, January 29, 2016 10:33 AM
> To: Tomcat Users List
> Subject: client ssl renegotiation after invalidating session
>
> I want to invalidate the client ssl cert authentication after the user
> logs out of my application.
>
> There is nothing about it in the docs and google just digs out this
> unanswered old thread from this users list in 2007:
>
>
> https://mail-archives.apache.org/mod_mbox/tomcat-users/200706.mbox/%3C
> 306958.89260.qm@web36804.mail.mud.yahoo.com%3E
>
> Does anybody know if there is any way to do it?
> </quoted mail>
>
> Depends what your version of Tomcat is. Since we skipped from 5.5 to
> 7.0 I don't know if 6 has this attribute. For 5.5 we used reflection
> to dig into the Request object and dig the SSLSessionManager which was
> kind of annoying since things shifted underground and we had to
> readjust for different releases of 5.5
>
>
>
> private static boolean
> invalidateTomcat7AndAboveSSLSession(HttpServletRequest httpRequest) {
> String serverInfo =
> FedSrvServlet.getServletContainerServerInfo();
>
> if (serverInfo == null) {
> log.error("Failed to determine server version");
> return false;
> }
>
> boolean compatibleTomcat =
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("7.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("8.0") > 0) ||
> (serverInfo.indexOf("Tomcat") > 0 &&
> serverInfo.indexOf("9.0") > 0);
>
> if (compatibleTomcat) {
> // Invalidate the SSL Session
> (org.apache.tomcat.util.net.SSLSessionManager)
> Method invalidateSessionMethod = null;
> Object mgr =
> httpRequest.getAttribute("javax.servlet.request.ssl_session_mgr");
> if (mgr != null) {
> try {
> invalidateSessionMethod =
> mgr.getClass().getMethod("invalidateSession");
> if (invalidateSessionMethod ==
> null) {
> log.error("Failed to
> reset SSL session: Method invalidateSessionMethod =
> mgr.getClass().getMethod(\"invalidateSession\") failed to return method");
> }
>
> invalidateSessionMethod.setAccessible(true);
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: " + t.getMessage(), t);
> }
>
> // Invalidate the session
> try {
>
> invalidateSessionMethod.invoke(mgr);
> log.trace("SSL session reset
> successfully");
> return true;
> } catch (Throwable t) {
> log.error("Failed to reset SSL
> session: invalidateSession() threw exception: " + t.getMessage(), t);
> }
> } else {
> log.error("Failed to reset SSL session:
> httpRequest.getAttribute(\"javax.servlet.request.ssl_session_mgr\")
> call failed to return session manager object");
> }
> }
>
> return false;
> }
>
> Hope this helps.
>
> George
>
--
.
Alberto Gael Abadin Martinez
Junior Developer
[image: IMATIA]
www.imatia.com
*Tel: *+34 986 342 774 ext 4531
*Email: *gael.abadin@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
España
.
<http://www.linkedin.com/company/imatia-innovation>
<http://www.youtube.com/imatiainnovation>
.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede contener información confidencial, siendo para uso exclusivo del destinatario. Queda prohibida su divulgación copia o distribución a terceros sin la autorización expresa del remitente. Si usted ha recibido este mensaje erróneamente, se ruega lo notifique al remitente y proceda a su borrado. Gracias por su colaboración.
This message, and in the case of any file annexed to it, can have confidential information, and it is exclusively for the use of the addressee of the message. It is strictly forbidden to spread a copy or distribute to third parties, without the express order of the sender. If you have received this message mistakenly, we request you to notify to the sender, and please be sure to erase it. Thank you for your collaboration.
.