"Bill Harrelson" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> To whoever can help:
>
> I have an application which requires certificates, and a bunch of
> servlets which don't. In my application I need to determine the
> originating client of the certificate-based connection
> (which comes from an enterprise application). I can do this if I can
> get access to either the request Principal, or the certificate itself.
>
> I have tried to use
> req.getUserPrincipal();
> req.getAttribute("javax.servlet.request.X509Certificate"); and
> req.getAttribute("javax.net.ssl.peer_certificates");
>
This is specific to Tomcat 4.1 and higher, but:
req.getAttribute("org.apache.coyote.request.X509Certificate");
should work. Of course, this ties your application to Tomcat and there is
no guarantee that future versions of Tomcat will continue to support it
(although currently 5.0 does).
> all return null unless CLIENT-AUTH=true in server.xml is set,
> (in which case the x509cert attribute returns the cert chain the rest
> always return null)
> but this requires certificates for all access which is what I don't
> want.
>
> I also tried setting <Valve
> className="org.apache.catalina.valves.CertificatesValve"
> certificates="true" debug="1"/>
> in the context for the application but it didn't seem to help.
>
CertificatesValve does nothing if you are using the Coyote connectors.
> I've also tried various combinations with CLIENT-CERT authorization in
> the
> deployment descriptor for the application.
> Some of the combinations simly block the interaction (saying no
> client-cert presented, when there is one.)
>
This is the usual way. However, you have to use MemoryRealm, and enter the
DN of all of your certs into tomcat-users.xml. Alternatively, you write
your own Realm that decides which certs you like.
> I'm running 4.1.24 and 4.1.27 on XP Pro and Win2000.
>
> Can anyone help?
>
> Thanks,
>
> Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
