[
https://issues.apache.org/jira/browse/RAMPART-215?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12713980#action_12713980
]
Stefan Vladov commented on RAMPART-215:
---------------------------------------
Hi,
I noticed the fix enforcing client certificate usage and as we ran in the same
issue a while ago I would like to note that it depends on the assumption that
axis2 is running in a servlet container. Thus using the custom axis2 NIO SSL
transport listener won't be handled correctly. Besides I'm not sure whether all
available servlet containers populate the
"javax.servlet.request.X509Certificate" attribute on the servlet request -
tomcat and jetty do... I believe weblogic and websphere also use the key but as
far as I know this is not part of the servlet specification, is it? Besides
even if the tomcat/jetty did wish to populate the user certificate chain
attribute if there is an apache in front of them it may not pass the client
certificate...
I actually intended to ask if you are aware of any other way of obtaining the
certificate, that I may be missing... If no, since it is not always possible to
get hold of the client certificate (in case https client authentication was
indeed used) I suggest this validation is made configurable with a parameter or
sth.
Any comments are appreciated.
> <sp:HttpsToken /> policy with RequireClientCertificate="true" doesn't have
> any validations or include the client cert
> ---------------------------------------------------------------------------------------------------------------------
>
> Key: RAMPART-215
> URL: https://issues.apache.org/jira/browse/RAMPART-215
> Project: Rampart
> Issue Type: Bug
> Components: rampart-policy
> Reporter: Prabath Siriwardena
> Assignee: Nandana Mihindukulasooriya
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
