'Re: request.getAttribute("javax.servlet.request.X509Certificate") returns NULL for AJP connector (po'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    Re: request.getAttribute("javax.servlet.request.X509Certificate") returns NULL for AJP connector (po
From:       Konstantin Kolinko <knst.kolinko () gmail ! com>
Date:       2014-01-29 18:33:21
Message-ID: CABzHfVkUNP3T8wbEoT2+GVr2s6KsFZRk_eXyGWRwq=2yUE59PQ () mail ! gmail ! com
[Download RAW message or body]

2014-01-29 Christopher Schultz <chris@christopherschultz.net>:
> On 1/28/14, 9:39 PM, John Palmer wrote:
>> Chris: Thanks for the response. I think we can end this discussion
>> - you have pretty much nailed it, I think.
>>
>> The great thing about having to pull together all the information
>> I've gathered over that last month to make this post, is that it
>> lets me see what I've been too close to see, in this case, that the
>> differences are IIS 5 vs 7.5 and Jakarta vs Bon Code.
>>
>> I took another look at the request headers returned by Jakarta (no
>> certs, no SSL info, only about 5 request headers) as opposed to
>> that returned by Bon Code (about 2 dozen request headers, most
>> ignored by Tomcat), to realize that the request headers probably
>> weren't the information source from Jakarta.
>>
>> Re-reading the Tomcat Connector docs and pages for the 1,000th or
>> so time, the phrase "SSL attributes of the client connection are
>> passed via the AJP protocol" jumped out at me, finally, as meaning
>> that this wasn't sent by request headers, but as ATTRIBUTES.
>>
>> Sure enough, reading through the source (NOT my strong point) of
>> the "Jakarta Isapi Redirector 1.2.37" reveals that it IS putting
>> the SSL info into the request forwarded to the AJP connector
>> (TomCat) as Attributes, and by contrast, the Bon Code source is
>> NOT.
>>
>> I'll recommend/ask  that Bilal look into this (I'm not prepared to
>> attempt this myself, yet)... I may be all wrong still... and try to
>> use the Jakarta for now, instead.
>
> This can probably be solved using a custom Valve which converts those
> HTTP headers into request attributes. Honestly, I was surprised
> reading-through the Bon Code documentation that such a Valve does not
> ship by default with Bon Code... it seems to be entirely necessary.
>

There exists "SSLValve"
http://tomcat.apache.org/tomcat-7.0-doc/api/org/apache/catalina/valves/SSLValve.html

From a quick look it may be what you are looking for.

It is not documented on the usual "config/valve.html" page. :/

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic