SSLSessions & Catalina

[Paul Lamb <pa...@oil-law.com>]

I'm working on a project using catalina, which only use SSL connections. I
need to be able to track session termination, which from the SSL spec's
should be possible--closure alerts. But it looks like two things need to
happen: 1) catalina has to use SSLSession and 2) I need to confirm that jsse
actually supports this functionality.

In looking at the catalina code, I don't see where it uses a SSLSession
except in certificate authentication. Is there anything that prevents this?
It looks like a change to the session code is going to be required.

I haven't yet found anything in the jsse docs that explicitly says it does
or doesn't support closure. It would seem odd if it didn't. It does say that
sessions  may be "explicitly invalidated". The other concern is that the
docs state that "sessions used on a connection may be replaced by a
different session"; does this mean that session invalidation does or doesn't
happen if a session is replaced?

Paul Lamb

Re: SSLSessions & Catalina

["Craig R. McClanahan" <Cr...@eng.sun.com>]

Hi Paul,

Paul Lamb wrote:

> I'm working on a project using catalina, which only use SSL connections. I
> need to be able to track session termination, which from the SSL spec's
> should be possible--closure alerts. But it looks like two things need to
> happen: 1) catalina has to use SSLSession and 2) I need to confirm that jsse
> actually supports this functionality.
>

Catalina does in fact use the SSLSession provided by JSSE, in
org.apache.catalina.valves.CertificatesValve.  This Valve checks for the
presence of an SSLSocket, then for a session, then for a client certificate
chain (will be there only if you turn on client authentication), and then
converts the chain of certificates into the type of certificates required by the
servlet spec.  These certificates are cached (as an SSLSession attribute) so
that the conversion only has to be done once.

>
> In looking at the catalina code, I don't see where it uses a SSLSession
> except in certificate authentication. Is there anything that prevents this?
> It looks like a change to the session code is going to be required.
>

If you need it for a different purpose, you can write a Valve that gains access
to the underlying socket and session using CertificatesValve as a model.  Note
that this would have to be internal-to-Catalina code (i.e. loaded from a JAR
file in $CATALINA_HOME/server), such as a Valve, because it needs access to
internal objects.

To access SSL related stuff (other than the certificates) from an application
level servlet or filter, you are probably best off creating request attributes
(the same way that CertificatesValve does it).  Just be aware that you're tying
yourself to Catalina when you do this because providing any other types of SSL
information is not in the servlet spec, so it's not portable.

> I haven't yet found anything in the jsse docs that explicitly says it does
> or doesn't support closure. It would seem odd if it didn't. It does say that
> sessions  may be "explicitly invalidated". The other concern is that the
> docs state that "sessions used on a connection may be replaced by a
> different session"; does this mean that session invalidation does or doesn't
> happen if a session is replaced?
>

JSSE 1.0.2 (which is what I'm currently using) definitely supports SSLSessions.
I haven't played with them explicitly very much, but it looks like you can
detect session termination (either explicit invalidate() or by other means)
using the same trick you use with servlet sessions -- store an object as an
SSLSession attribute that implements SSLSessionBindingListener, and wait for the
valueUnbound() event.

>
> Paul Lamb
>

Craig McClanahan

====================
See you at ApacheCon Europe <http://www.apachecon.com>!
Session VS01 (23-Oct 13h00-17h00):  Sun Technical Briefing
Session T06  (24-Oct 14h00-15h00):  Migrating Apache JServ
                                    Applications to Tomcat