"Bill Harrelson" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > To whoever can help: > > I have an application which requires certificates, and a bunch of > servlets which don't. In my application I need to determine the > originating client of the certificate-based connection > (which comes from an enterprise application). I can do this if I can > get access to either the request Principal, or the certificate itself. > > I have tried to use > req.getUserPrincipal(); > req.getAttribute("javax.servlet.request.X509Certificate"); and > req.getAttribute("javax.net.ssl.peer_certificates"); >
This is specific to Tomcat 4.1 and higher, but: req.getAttribute("org.apache.coyote.request.X509Certificate"); should work. Of course, this ties your application to Tomcat and there is no guarantee that future versions of Tomcat will continue to support it (although currently 5.0 does). > all return null unless CLIENT-AUTH=true in server.xml is set, > (in which case the x509cert attribute returns the cert chain the rest > always return null) > but this requires certificates for all access which is what I don't > want. > > I also tried setting <Valve > className="org.apache.catalina.valves.CertificatesValve" > certificates="true" debug="1"/> > in the context for the application but it didn't seem to help. > CertificatesValve does nothing if you are using the Coyote connectors. > I've also tried various combinations with CLIENT-CERT authorization in > the > deployment descriptor for the application. > Some of the combinations simly block the interaction (saying no > client-cert presented, when there is one.) > This is the usual way. However, you have to use MemoryRealm, and enter the DN of all of your certs into tomcat-users.xml. Alternatively, you write your own Realm that decides which certs you like. > I'm running 4.1.24 and 4.1.27 on XP Pro and Win2000. > > Can anyone help? > > Thanks, > > Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]