You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Sanjeev Sharma <sa...@buchanan-edwards.com> on 2012/02/06 18:01:20 UTC
Client Authentication--getting certificate information on the
server side
Hello,
I'm trying to configure client authentication in Tomcat 7 on Windows 7. I have the following connector in the server.xml:
<Connector port="443"
protocol="HTTP/1.1"
SSLEnabled="true"
maxThreads="150"
scheme="https"
secure="true"
keystoreFile="d:\certs\server_cert.jks"
keystorePass="changeit"
truststoreFile="d:\certs\truststore.jks"
truststorePass="changeit"
clientAuth="true"
sslProtocol="TLS" />
In my web.xml I have the following :
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>PKI Enabled App</realm-name>
</login-config>
This forces client authentication when I try to access the app using a browser and when I provide a trusted certificate, I'm able get authenticated. After the authentication I was expecting to get the client certificate information in the session, but I get nothing. How do I pass the Common Name from the subject line of the client certificate to the server during authentication so that I can access it from a struts action?
Thanks in advance.
Re: Client Authentication--getting certificate information on the
server side
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Sanjeev,
On 2/6/12 12:01 PM, Sanjeev Sharma wrote:
> This forces client authentication when I try to access the app
> using a browser and when I provide a trusted certificate, I'm able
> get authenticated. After the authentication I was expecting to get
> the client certificate information in the session, but I get
> nothing. How do I pass the Common Name from the subject line of the
> client certificate to the server during authentication so that I
> can access it from a struts action?
You've stumbled upon the answer, but this is all documented quite well
in the servlet specification. Pick a version -- any version -- and
read it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk8wHOkACgkQ9CaO5/Lv0PAjGQCgiNBu1MY2Kzv3IEZ3MOa/VgZw
XXAAn0hk9BBDP4WAkrnmVYavanO7KLVn
=ohd6
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Client Authentication--getting certificate information on the
server side
Posted by Sanjeev Sharma <sa...@buchanan-edwards.com>.
Thanks so much. I was just dumping session in psi-probe. I didn't think to look in the request. I get exactly what I need when I us request.getAttribute(org.apache.catalina.Globals.CERTIFICATES_ATTR). Thanks again!
-----Original Message-----
From: Pid [mailto:pid@pidster.com]
Sent: Monday, February 06, 2012 12:20 PM
To: Tomcat Users List
Subject: Re: Client Authentication--getting certificate information on the server side
On 06/02/2012 17:01, Sanjeev Sharma wrote:
> Hello,
>
> I'm trying to configure client authentication in Tomcat 7 on Windows 7. I have the following connector in the server.xml:
>
> <Connector port="443"
> protocol="HTTP/1.1"
> SSLEnabled="true"
> maxThreads="150"
> scheme="https"
> secure="true"
> keystoreFile="d:\certs\server_cert.jks"
> keystorePass="changeit"
> truststoreFile="d:\certs\truststore.jks"
> truststorePass="changeit"
> clientAuth="true"
> sslProtocol="TLS" />
>
> In my web.xml I have the following :
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>PKI Enabled App</realm-name>
> </login-config>
>
> This forces client authentication when I try to access the app using a browser and when I provide a trusted certificate, I'm able get authenticated. After the authentication I was expecting to get the client certificate information in the session, but I get nothing. How do I pass the Common Name from the subject line of the client certificate to the server during authentication so that I can access it from a struts action?
>
> Thanks in advance.
There are a number of variables (javax.servlet.request.ssl*) available in the *request* rather than the session. Which ones are you trying to access?
There's a list of various relevant things here:
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/Globals.java
p
--
[key:62590808]
Re: Client Authentication--getting certificate information on the
server side
Posted by Pid <pi...@pidster.com>.
On 06/02/2012 17:01, Sanjeev Sharma wrote:
> Hello,
>
> I'm trying to configure client authentication in Tomcat 7 on Windows 7. I have the following connector in the server.xml:
>
> <Connector port="443"
> protocol="HTTP/1.1"
> SSLEnabled="true"
> maxThreads="150"
> scheme="https"
> secure="true"
> keystoreFile="d:\certs\server_cert.jks"
> keystorePass="changeit"
> truststoreFile="d:\certs\truststore.jks"
> truststorePass="changeit"
> clientAuth="true"
> sslProtocol="TLS" />
>
> In my web.xml I have the following :
>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>PKI Enabled App</realm-name>
> </login-config>
>
> This forces client authentication when I try to access the app using a browser and when I provide a trusted certificate, I'm able get authenticated. After the authentication I was expecting to get the client certificate information in the session, but I get nothing. How do I pass the Common Name from the subject line of the client certificate to the server during authentication so that I can access it from a struts action?
>
> Thanks in advance.
There are a number of variables (javax.servlet.request.ssl*) available
in the *request* rather than the session. Which ones are you trying to
access?
There's a list of various relevant things here:
http://svn.apache.org/repos/asf/tomcat/trunk/java/org/apache/catalina/Globals.java
p
--
[key:62590808]