Re: user and certificate info is not passed to tomcat

Mon, 07 Oct 2019 08:27:41 -0700 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Magosányi,

On 10/7/19 11:16, Magosányi Árpád wrote:
>> Magosányi,
>>
>> On 10/7/19 10:37, Magosányi Árpád wrote:
>>> I intend to use the user and certificate info in a Filter.
>>
>>> I think I have configured everything to do that, but the
>>> information does not get passed along. Based on various
>>> documentations and howtos, SSLVerifyClient require, SSLOptions
>>> +StdEnvVars and SSLOptions +ExportCertData and JkExtractSSL On
>>> should be enough to pass certificate data, and Require
>>> valid-user should be enough to pass the authenticated
>>> username.
>>
>>> I see the following debug output (also contains the various
>>> info logged by the filter), which clearly lacks the information
>>> needed.
>> How are you getting the attributes from the request?
>
> This is the filter code:
>
>
> String user = httpRequest.getRemoteUser(); Object cert =
> httpRequest.getAttribute("javax.servlet.request.X509Certificate");
> this.context.log("user:"+user);

This won't show any username unless the user has logged-in using HTTP
Basic/Digest authentication. Are you using those?

To get the certificate chain, I think you also need this in your httpd
configuration:

    JkOptions +ForwardSSLCertChain

>> Is the CGI being executed by Tomcat or is it being executed by
>> httpd?
>
> Executed by Apache httpd.

Okay.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bWSkACgkQHPApP6U8
pFgkdQ/+O3c3y8QZaBSyQk0do9nCyVl1os/GBGnBTmPYio7C3L/DHQ78LaERjJwl
DHvElopUxA5T7Jcbrg8mAN41lv3oLkoZqBv1htXxL/6JliRGG5DkH8ZCXbIBIH36
a2kVIJ2B4fbPryZ0kjZ+dmiHfJUYRr41NNZ0Ejrs93VEsV4+A8JZna74z4Wh0nRN
AwctTF/PTZuPrgEAVx7s9zxGFAasHWv5h3UIHXUmHKCmFQxY8bP8GUWXyAZ0pdtg
PiDJf3xAZeG2joB7n2M44VohGyFhG0i+x4fKYn212n8zq7bs++TbWiknrUAUQqMS
LFc6qXw85CxeKoJva4Q1F228HmtXJXLYw/6esjQHWdKqChU2IPUutrTFwxeb2hlf
ZBWHby77FyDQtErakxyVlv9Qi4bwmPeH4bR86ovarxhFYQ7bEcEyEAxdsY6HPnpj
we/pvHXWhb1Rs6MAthZyXzyhmGHu4nZyHbedQnsgX9hBAXerSqs0u8AQaAkmQLtd
dYDNQZ2jL5scN8jB951BMTlgskpxuWGyxG6xbBPM6/YdGTN9Qfgem7TRPzhDImO8
C53AheJwAK/RQGAoNaXIHK66p1bTR33IH3ycvmzsDhBxdtQcCRSpABL6Xm8LGxzS
PU2zKywcD5dqKu9Btd1+PECVy1MIPUkvl++Qv9TwTdqxwGoas3s=
=PCeu
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to