Tomcat more tolerant to missing or expired client certificates

[Fabrizio Lippolis]

Hi,

I am developing an application where I managed to use client 
authentication requiring a certificate installed in the browser. I have 
remarked anyway that when a certificate is expired or there is no 
certificate at all, Tomcat doesn't allow the user to use the 
application. This is right after all but I find it too much restrictive 
in its behaviour since I can't even load static pages. I would like to 
be able to decide what to do when a certificate is expired or there is 
no certificate, possibly in the former case to display a message to 
renovate the certificate, in the latter to display another message that 
the application could only be accessed with a valid certificate.
On the contrary, Tomcat logs an exception like this:
25-lug-2005 9.59.32 org.apache.tomcat.util.net.jsse.JSSE14Support 
synchronousHan
dshake
INFO: SSL Error getting client Certs
javax.net.ssl.SSLHandshakeException: null cert chain
        at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
        at com.sun.net.ssl.internal.ssl.AppInputStream.read(DashoA6275)
        at java.io.InputStream.read(InputStream.java:89)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.synchronousHandshake(JS
SE14Support.java:88)
        at 
org.apache.tomcat.util.net.jsse.JSSE14Support.handShake(JSSE14Support
.java:67)
        at 
org.apache.tomcat.util.net.jsse.JSSESupport.getPeerCertificateChain(J
SSESupport.java:120)
        at 
org.apache.coyote.http11.Http11Processor.action(Http11Processor.java:
1049)
        at org.apache.coyote.Request.action(Request.java:365)
        at 
org.apache.coyote.tomcat4.CoyoteRequest.getAttribute(CoyoteRequest.ja
va:768)
        at 
org.apache.coyote.tomcat4.CoyoteRequestFacade.getAttribute(CoyoteRequ
estFacade.java:89)
        at 
org.apache.catalina.authenticator.SSLAuthenticator.authenticate(SSLAu
thenticator.java:134)
        at 
org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica
torBase.java:479)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.valves.CertificatesValve.invoke(CertificatesValve
.java:199)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at 
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at 
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:
2358)
        at 
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j
ava:133)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatche
rValve.java:118)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j
ava:116)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:
534)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:594)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at 
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at 
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal
ve.java:127)
        at 
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContex
t.invokeNext(StandardPipeline.java:596)
        at 
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.jav
a:433)
        at 
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:948)

        at 
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:15
2)
        at 
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java
:799)
        at 
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce
ssConnection(Http11Protocol.java:705)
        at 
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java
:577)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP
ool.java:683)
        at java.lang.Thread.run(Thread.java:534)

...

Does anybody know how could I do to achieve my purpose? Any help 
appreciated, thank you very much.

Fabrizio

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]