You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Fabrizio Lippolis <Fa...@AurigaInformatica.it> on 2005/07/25 10:10:14 UTC
Tomcat more tolerant to missing or expired client certificates
Hi,
I am developing an application where I managed to use client
authentication requiring a certificate installed in the browser. I have
remarked anyway that when a certificate is expired or there is no
certificate at all, Tomcat doesn't allow the user to use the
application. This is right after all but I find it too much restrictive
in its behaviour since I can't even load static pages. I would like to
be able to decide what to do when a certificate is expired or there is
no certificate, possibly in the former case to display a message to
renovate the certificate, in the latter to display another message that
the application could only be accessed with a valid certificate.
On the contrary, Tomcat logs an exception like this:
25-lug-2005 9.59.32 org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHan
dshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JS
SE14Support.java:88)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support
.java:67)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(J
SSESupport.java:120)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:
1049)
at org.apache.coyote.Request.action(Request.java:365)
at
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.ja
va:768)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequ
estFacade.java:89)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAu
thenticator.java:134)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:479)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve
.java:199)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
534)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
at java.lang.Thread.run(Thread.java:534)
...
Does anybody know how could I do to achieve my purpose? Any help
appreciated, thank you very much.
Fabrizio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat more tolerant to missing or expired client certificates
Posted by Fabrizio Lippolis <Fa...@AurigaInformatica.it>.
Antonio Albendiz wrote:
> If you configure tomcat server in SSL mode, you can say what to do. In your
> server.xml, at the ssl connector it says what to do with the users. If you
> configure with no authentication, all users can see all. If you say want I
> think it says what to do with the user and if you put TRUE it means that the
> user should have a good certificate.
I have already tried all the settings of the clientAuth attribute. If I
set to "false" all the users can pass, and even if a user has a valid
certificate I can't read it. If I set to "want" and the user has no
certificate or it has expired (which are the relevant cases for me) the
server answers with a 400 error. If I set to "true" in these cases the
connection is dropped and I see no page in the browser.
What I want to do is to let the user pass even with an expired
certificate and possibily to give a kinder message when he/she has no
certificate.
Fabrizio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
RE: Tomcat more tolerant to missing or expired client certificates
Posted by Antonio Albendiz <an...@gextech.com>.
If you configure tomcat server in SSL mode, you can say what to do. In your
server.xml, at the ssl connector it says what to do with the users. If you
configure with no authentication, all users can see all. If you say want I
think it says what to do with the user and if you put TRUE it means that the
user should have a good certificate.
I´m sorry if that doesn´t help you
-----Mensaje original-----
De: Fabrizio Lippolis [mailto:Fabrizio.Lippolis@AurigaInformatica.it]
Enviado el: lunes, 25 de julio de 2005 10:10
Para: tomcat-user@jakarta.apache.org
Asunto: Tomcat more tolerant to missing or expired client certificates
Hi,
I am developing an application where I managed to use client
authentication requiring a certificate installed in the browser. I have
remarked anyway that when a certificate is expired or there is no
certificate at all, Tomcat doesn't allow the user to use the
application. This is right after all but I find it too much restrictive
in its behaviour since I can't even load static pages. I would like to
be able to decide what to do when a certificate is expired or there is
no certificate, possibly in the former case to display a message to
renovate the certificate, in the latter to display another message that
the application could only be accessed with a valid certificate.
On the contrary, Tomcat logs an exception like this:
25-lug-2005 9.59.32 org.apache.tomcat.util.net.jsse.JSSE14Support
synchronousHan
dshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
at java.io.InputStream.read(InputStream.java:89)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JS
SE14Support.java:88)
at
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support
.java:67)
at
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(J
SSESupport.java:120)
at
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:
1049)
at org.apache.coyote.Request.action(Request.java:365)
at
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.ja
va:768)
at
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequ
estFacade.java:89)
at
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAu
thenticator.java:134)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:479)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve
.java:199)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
534)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
at java.lang.Thread.run(Thread.java:534)
...
Does anybody know how could I do to achieve my purpose? Any help
appreciated, thank you very much.
Fabrizio
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org