I'm attempting to run this from within Oracle 19c, so I believe that is
throwing a whole other wrinkle in there.
On Wed, Jun 21, 2023 at 1:48 PM Mark Thomas <ma...@apache.org> wrote:
>
>
> On 21/06/2023 18:29, Timothy Ward wrote:
> > I tried the following:
> >
> > import javax.servlet.http.HttpServletRequest;
>
> If you are using the Java EE imports ...
>
> > import javax.security.cert.Certificate;
> > import javax.security.cert.X509Certificate;
> >
> > X509Certificate[] certs = (X509Certificate[])
> >
> getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");
>
> ... you should be using the Java EE attribute names. Replace "jakarta"
> with "javax".
>
> It should still compile though, even with the wrong attribute name. Is
> the ORDS related? I'm not familiar with that tool so I don't know what
> might be going on.
>
> Mark
>
> >
> > and I'm getting:
> >
> > [Error] (1: 0): GrabCert:33: error: cannot find symbol,
> > [Error] (1: 0): X509Certificate[] certs = (X509Certificate[])
> >
> getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");,
> > [Error] (1: 0): ^,
> > [Error] (1: 0): symbol: method getHttpServletRequest(),
> > [Error] (1: 0): location: class GrabCert, [Error] (1: 0): 1 error
> >
> > I've tried various other versions as well after googling it and haven't
> > been able to get anything to compile.
> >
> > On Mon, Jun 12, 2023 at 12:11 PM Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 12/06/2023 12:00, Timothy Ward wrote:
> >>> Changing the CGI Servlet may be the easiest route, but if I wanted to
> use
> >>> it as intended, I'm guessing I would use the original Java code that
> you
> >>> sent below?
> >>>
> >>> X509Certificate[] certs =
> >>>
> >>
> (X509Certificate[])getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");
> >>>
> >>>
> >>> I would just have to figure out how to do that within Oracle.
> >>
> >> That should get you the value with ORDS (I've never used ORDS). I don't
> >> think you'll be able to pass it to the CGI though.
> >>
> >> Mark
> >>
> >>
> >>>
> >>> On Mon, Jun 12, 2023 at 6:17 AM Mark Thomas <ma...@apache.org> wrote:
> >>>
> >>>> If you decide to go the route of modifying Tomcat's CGI servlet, this
> is
> >>>> probably where you'll want to add the TLS info:
> >>>>
> >>>>
> >>>>
> >>
> https://github.com/apache/tomcat/blob/main/java/org/apache/catalina/servlets/CGIServlet.java#L771
> >>>>
> >>>> You should be able to copy the source of Tomcat's CGI servlet, modify
> as
> >>>> required and then just deploy it as part of the web application the
> same
> >>>> way you would any other servlet.
> >>>>
> >>>> Mark
> >>>>
> >>>>
> >>>> On 12/06/2023 10:41, Timothy Ward wrote:
> >>>>> I'm converting an application from using Oracle Http Server which is
> a
> >>>>> version of Apache so I was just trying to keep the code close to the
> >>>> same.
> >>>>>
> >>>>> It is going to use Tomcat and ORDS. We've got ORDS working and are
> >> just
> >>>>> setting up Tomcat to do the SSL stuff we needed to do.
> >>>>>
> >>>>> I was using the SSLOptions +StdEnvVars settings that would set the
> >>>>> variables I needed as environment variables that I could then pick up
> >> in
> >>>>> Oracle via OWA_UTIL.GET_CGI_ENV('SSL_CLIENT_S_DN');
> >>>>>
> >>>>> So, I guess if there is a different way of doing that without using
> CGI
> >>>>> Environment variables I can try that. I'm just having issues finding
> >> any
> >>>>> useful examples of what I want to do.
> >>>>>
> >>>>> Thanks for your help, it is really appreciated.
> >>>>>
> >>>>> On Mon, Jun 12, 2023 at 4:31 AM Mark Thomas <ma...@apache.org>
> wrote:
> >>>>>
> >>>>>> The information you are looking for is not made available via
> Tomcat's
> >>>>>> standard CGI servlet. You would need to extend it and add the
> >>>>>> certificate information as an additional environment variable (or
> >>>>>> variables).
> >>>>>>
> >>>>>> Do you need to use CGI? It is fairly unusual to see CGI mention on
> >> this
> >>>>>> list these days.
> >>>>>>
> >>>>>> Mark
> >>>>>>
> >>>>>>
> >>>>>> On 11/06/2023 22:56, Timothy Ward wrote:
> >>>>>>> Doesn't seem to work via perl, where would I have to use that line
> of
> >>>>>> code?
> >>>>>>>
> >>>>>>> On Sun, Jun 11, 2023 at 5:26 PM Martynas Jusevičius <
> >>>>>> marty...@atomgraph.com>
> >>>>>>> wrote:
> >>>>>>>
> >>>>>>>> You can get client certificates from ServletRequest:
> >>>>>>>>
> >>>>>>>> X509Certificate[] certs =
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> (X509Certificate[])getHttpServletRequest().getAttribute("jakarta.servlet.request.X509Certificate");
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> https://jakarta.ee/specifications/servlet/5.0/apidocs/jakarta/servlet/servletrequest#getAttribute(java.lang.String)
> >>>>>>>>
> >>>>>>>> On Sun, Jun 11, 2023 at 11:20 PM Timothy Ward <
> >> twardbite...@gmail.com
> >>>>>
> >>>>>>>> wrote:
> >>>>>>>>>
> >>>>>>>>> Tomcat 10.1 setup using certificateVerification="required" on
> >> Windows
> >>>>>>>>> Server 2019, is there a way to get the SSL_CLIENT_S_DN and
> >>>>>>>> SSL_CLIENT_I_DN
> >>>>>>>>> via a CGI perl script? I think I have the SSLValve valve
> >>>> implemented,
> >>>>>>>> but
> >>>>>>>>> there is nothing for sure that tells me that it is.
> >>>>>>>>>
> >>>>>>>>> The browser prompts for the pin and authenticates just fine, I
> just
> >>>>>> need
> >>>>>>>> a
> >>>>>>>>> way to get some of the client certificate information.
> >>>>>>>>>
> >>>>>>>>> Thanks,
> >>>>>>>>> Tim
> >>>>>>>>
> >>>>>>>>
> >> ---------------------------------------------------------------------
> >>>>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> ---------------------------------------------------------------------
> >>>>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>>>
> >>>>>>
> >>>>>
> >>>>
> >>>> ---------------------------------------------------------------------
> >>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>>>
> >>>>
> >>>
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>
> >>
> >
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
