Client-cert and POST

[Bob Herrmann <bo...@jadn.com>]

I have been snooping around this problem with client-cert and POSTs for
quite a while now.  I have a patch that fixes it, but I really don't
like my own work.

This topic has raised it's ugly head a few times already here on
Tomcat-dev, but allow me to restate it (yet again... hopefully with more
clarity)

Clients can POST data to Tomcat.  They can do this on a secure socket. 
Tomcat can be configured to protect resources from the client based on
the clients Certificates.  So, a client can be POSTing data to a secure
resource and tomcat may not yet have gotten the Certificates it needs. 
HERE IS WHERE STUFF GETS TRICKY (could I be wrong?) The certificate
exchange can only happen once the POST data is removed from the socket. 
I talked with someone who implemented an SSL stack and he said that this
is the way the protocol is.  Boo.   So in order to support work
correctly, Tomcat must hold onto this POST until it is done, then
certify the client, then proceed or bail.  Messy messy.

I tweaked Tomcat5 Coyote to do this.  

It works by changing CoyoteRequest to change the InputStream to a
Buffered InputStream when a POST and an SSL Certrequest happen.

What do you think?

Cheers,
-bob