1. Client sends POST request (with content type other than "application/x-www-form-urlencoded") to SSL-enabled server (with client auth turned off).
2. Server parses request header, and determines that the resource identified by the request-URI is CLIENT-CERT protected.
3. Server's SSLAuthenticator valve reinitiates SSL handshake, w/ client auth turned on.
4. The server sends its HelloRequest, and expects to read the client's ClientHello. However, what it gets is the POST request's body which hadn't been read yet.
5. SSL handshake fails.
In order to avoid this problem, SSLAuthenticator.authenticate() "clears" the socket in the case of a POST request by reading the POST request's body *before* reinitiating the handshake. To read the POST body, it calls CoyoteRequest.getParameterMap(), which reads and processes the POST body only if the content type equals "application/x-www-form-urlencoded".
Therefore, the SSL re-handshake works according to plan if the content type equals "application/x-www-form-urlencoded", but fails for any other content type.
Should we always read the POST body in getParameterMap(), and cache it in a byte[] if content type is different from "application/x-www-form-urlencoded", and have CoyoteRequest.getInputStream()/getReader() return wrappers around this byte[]?
Any better suggestions?
Thanks,
Jan
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
