Mike Spreitzer wrote:
> How (in which version(s) of servlets?) do I discover security details
> beyond the basics revealed by HttpServletRequest.getAuthType,
> getUserPrincipal, isSecure, and isUserInRole? In particular, I'd like to
> get (1) the X.509 certificate, if any, presented by a client using SSL/TLS,
> (2) the details negotiated for an SSL/TLS connection, and (3) the Windows
> AccessToken (or a suitable precursor) produced by an NTLM-flavored HTTP
> authentication interaction.
>
As of the Servlet API version 2.2 (see Section 5.7 of the spec) you can get the
certificate (if any) like this:
java.security.cert.X509Certificate cert =
(java.security.cert.X509Certificate)
request.getAttribute("javax.servlet.request.X509Certificate");
but only if you're running in a J2SE or J2EE environment. Some engines may
provide request attributes for the additional details you are after, but it's
all pretty servlet engine specific. You'll need to check the docs for the
engine you are using.
Craig McClanahan
___________________________________________________________________________
To unsubscribe, send email to [EMAIL PROTECTED] and include in the body
of the message "signoff SERVLET-INTEREST".
Archives: http://archives.java.sun.com/archives/servlet-interest.html
Resources: http://java.sun.com/products/servlet/external-resources.html
LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
