"Carlos Guardiola" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > (Hi everyone! Here i'm again, asking for some help about https > authentication and custom error pages.) > > Dear Mr. Bill Barker, > > We've used "clientAuth=want" as you suggested; and now we've managed to > "know" that a client tried to access the application without a valid > certificate. That's is OK, and we thank you very much. > > But when we try to launch an customized error page, a new error happens. It > seems that the conection with the remote browser is broken. Who closed it? > When? How? The point is that we can't return our error page...
When checking for CLIENT-CERT authentication, Tomcat converts the clientAuth="want" to clientAuth="true". The result is that JSSE drops the connection when no cert is sent. I've just committed a patch to leave the clientAuth alone when "want" is specified. The result is that the socket will remain open even if the client refuses to send a cert, and so an error page can be sent back. > > I've seen that Mr. Alain Baucant has been working with the same problem. > Maybe he could help us. > > Thanks in advice, > > Carlos Guardiola > > > PS- > > We've got the stacktrace in our catalina.out; it's quite large, i think i'm > gonna send you a shorter one ;-) > > ADVERTENCIA: Exception getting SSL Cert > java.net.SocketException: Socket Closed > at java.net.PlainSocketImpl.setOption(PlainSocketImpl.java:177) > at java.net.Socket.setSoTimeout(Socket.java:924) > at > com.sun.net.ssl.internal.ssl.SSLSocketImpl.setSoTimeout(DashoA6275) > at > org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup > port.java:137) > at > org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 > 05) > at > org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(JSSESupp > ort.java:163) > at > org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:1082) > (....) > (Sysdate) org.apache.tomcat.util.net.jsse.JSSE14Support synchronousHandshake > INFO: SSL Error getting client Certs > javax.net.ssl.SSLProtocolException: handshake alert: no_certificate > at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) > at java.io.InputStream.read(InputStream.java:89) > at > org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup > port.java:126) > at > org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support.java:1 > 05) > (....) > (Sysdate) org.apache.coyote.http11.Http11Processor action > ADVERTENCIA: Exception getting SSL Cert > javax.net.ssl.SSLProtocolException: handshake alert: no_certificate > at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275) > at java.io.InputStream.read(InputStream.java:89) > at > org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JSSE14Sup > port.java:126) > (....) > > Here is the access log; it seems that it's trying to get the "Error 400" > page... > > (client IP) - - [(Sysdate)] "GET /(app. directory)/ HTTP/1.1" 400 45 > > > > -----Mensaje original----- > De: news [mailto:[EMAIL PROTECTED] En nombre de Bill Barker > Enviado el: viernes, 05 de marzo de 2004 3:20 > Para: [EMAIL PROTECTED] > Asunto: Re: Client authentication and customized error pages > > Using clientAuth="true", the error happens too early to be able to invoke an > error-page. You might try using clientAuth="want" instead. In this case, > the user still gets prompted for a cert, but the request continues if she > hits "cancel". It is then the responsibility of your webapp to handle the > case where there is no cert sent. > > "Carlos Guardiola" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > > > > Hi everyone! > > I'm using SSL client authentication in a tomcat 5.0.19. Everything goes > > fine, but i need some help customizing error pages. > > > > When a client want to use my application, the browser asks him to choose > > a valid certificate, but perhaps he hasn't a valid one. If he doesn't > > have a certificate, the client authentication can't be done, so my > > application is never invoked. O.K. > > > > So, the browser shows a "page not found error", wich isn't one of my > > application's customized error pages (as my application have never been > > invoked). How can i customize that error page, in order to show > > something like "you need a valid certificate"? > > > > I've created my own ErrorReportValve, used in the > > "errorReportValveClass" directive of the Host in my tomcat's server.xml. > > But it also seems not being invoked... > > > > Any help will be useful, thanks in advice, > > > > Carlos > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
