You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2013/11/12 19:11:41 UTC

[Bug 41883] use abstract wrapper instead of plain X509Certificate during client authentication

https://issues.apache.org/bugzilla/show_bug.cgi?id=41883

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |INVALID

--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
So... it's only been 6.5 years since this enhancement request was filed, but I
found it looking for something related.

I think it's unlikely that this will be fixed, because the servlet spec says
that the object found under "javax.servlet.request.X509Certificate" should be
an array of java.security.cert.X509Certificate objects. While the spec (and
API) doesn't bar any container from providing /subclasses/ of that class, any
code expecting to use such a subclass would no longer be container-neutral.

The kind of thing requested in this enhancement is best implemented in the
webapp and not in the container.

I'm marking this request as INVALID due to the semantic violation of the
servlet spec. Re-open if there is disagreement.

(Note that the container can already check the CRL status of the client
certificate for you and so the webapp does not have to ... unless you have a
nuanced setup where the container is not the appropriate place for those
checks).

-- 
You are receiving this mail because:
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org