You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2007/03/18 21:12:12 UTC

DO NOT REPLY [Bug 41883] New: - use abstract wrapper instead of plain X509Certificate during client authentication

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41883>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41883

           Summary: use abstract wrapper instead of plain X509Certificate
                    during client authentication
           Product: Tomcat 6
           Version: unspecified
          Platform: Other
        OS/Version: other
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: hauser@acm.org


After a client certificate authentication, the certificate is in
org.apache.catalina.Globals.CERTIFICATES_ATTR 

As per the object oriented coding and design principles, I'd expect that a cert
would also entail methods to e.g. check the its CRL status, etc.

java.security.cert.X509Certificate unfortunately doesn't.

In order to enable programmers to use smarter extensions of the certificate
object, I suggest 
   1) Tomcat to use an extension of the X509Certificate object that has a 
      constructor with the X509Certificate as an argument
   2) add an attribute in the server.xml's Connector element such that another 
      implementation can be specified - e.g. "X509CertClass"
      (http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL%20Support)
  
This allows to use such a smarter certificate implementation in
org.apache.catalina.authenticator.SSLAuthenticator as well as later on in the
business logic, e.g. accessed via the httpServletRequest of an MVC framework
such as struts, by simply putting that implementation into
CATALINA_HOME/common/[lib/classes]

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 41883] - use abstract wrapper instead of plain X509Certificate during client authentication

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41883>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41883





------- Additional Comments From hauser@acm.org  2007-03-18 13:14 -------
The abstract class all extended X509Certificate implementations would have to
extend could be as simple as

public abstract class X509CertificateExtensible extends X509Certificate {
	private static final long serialVersionUID = 1L;
	protected X509Certificate javaCert = null;
	static Log log = LogFactory.getLog(X509CertificateExtensible.class);
	public X509CertificateExtensible(X509Certificate javaCert) {
		this.javaCert = javaCert;
	}

I am happy to provide a baseline wrapper that basically just maintains backward
compatibility.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 41883] - use abstract wrapper instead of plain X509Certificate during client authentication

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=41883>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=41883


hauser@acm.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED




------- Additional Comments From hauser@acm.org  2007-03-19 01:30 -------
see also Bug 34643

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org