Question about getting client certificate in servlet

[Mark Liu <ma...@yahoo.com>]

I am using Tomcat 4.1.18 in SSL mode under Win2K.  And my Web server requires client authentication.

As we know, if we visit a web server which requires client authentication, say, https://www.myweb.com , the browser brings up a dialog box which presents a list of valid certificates for you to choose from.

Then we select one of them and hit "ok", and the certificate is sent to the web server.

But no servlet is invoked by this action, so how can the web server get the client certificate information?

Suppose I want to intercept the client certificates in a servlet called CertInterceptor which contains the following code:

[CODE]

X509Certificate[] certs = (X509Certificate[])
httpRequest.getAttribute("javax.servlet.request.X509Certificate");

if (certs == null) {
//Processed a request that did not contain a client certificate.
}

//Attempt to extract principal name from Subject:
String clientDN = certs[0].getSubjectDN().getName();
...

[/CODE]

Usually, we invoke this servlet by way of a submit button *on the web page*.  But in this case, we want to invoke it by hitting an "OK" button in a dialog box that IE brings up.

Is this possible?  And if this is not the right way to intercept the client certificates submitted that way, how do we catch the client certificates?

Click here to get a better view of my question.
http://www.geocities.com/markliu1989/

Thanks!



---------------------------------
Do you Yahoo!?
Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop!