Bill,
I'm not sure what the best way to submit these are, but here is a first
stab at an implementation of this. I was able to successfully test and
run this under Tomcat 4.1.29 using the Jakarta-tomcat-connectors source
package distributed with 5.0.18 (should be the latest from my
understanding).
Attached are the patch files for:
org.apache.coyote.tomcat4.CoyoteServerSocketFactory
org.apache.coyote.tomcat4.CoyoteConnector
org.apache.tomcat.util.net.jsse.JSSESocketFactory
org.apache.tomcat.util.net.jsse.JSSE13SocketFactory
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory
Let me know if I'm on the right track... (I haven't done a diff in
years, I'm not sure if I did it backwards or not, but I did 'diff
<new_file> <original_version>').
Thanks,
Mike
-----Original Message-----
From: Bill Barker [mailto:[EMAIL PROTECTED]
Sent: Thursday, January 22, 2004 2:53 PM
To: Tomcat Developers List
Subject: Re: JSSE 1.4: 'Want' vs. 'Need' Client Certificate
Authentication
This has been on my list for awhile (just not very high :). I am
leaning in
the direction of 1): change the clientAuth parameter to be a String of
the
form: 'true', 'false', or 'want'. It's the simplest, and cleanest.
Getting the PureTLS implementation caught up with the JSSE
implementation is
another item on my list :).
----- Original Message -----
From: "Becker, Michael" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, January 22, 2004 10:38 AM
Subject: JSSE 1.4: 'Want' vs. 'Need' Client Certificate Authentication
One of the additional features that has been introduced in JSSE 1.4 is
the ability to 'want' client certificates instead of 'require'ing them
(http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.ht
ml#NewMethods). It also appears that this functionality is not
available in the PureTLS implementation of the SSL protocol (at least
that I could find). This feature could be useful in scenarios where
some users have client side certificates and some do not. This would
still allow both sets of users to connect to the same host, but using
different modes of authentication. Another nice thing that this feature
would give us is the ability to provide a friendly "You don't have a
client certificate and contact this help desk to get your client
certificate" instead of not allowing any requests to get into the
container.
Considering the fact that this is only applicable to a JDK 1.4.x VM, is
this something that could be built into the current distribution? Here
are some options that I came up with to get this functionality in
Tomcat.
1. Provide an additional argument to the
org.apache.coyote.tomcat4.CoyoteServerSocketFactory in server.xml to
'want' certificate authentication. If the underlying SSL implementation
does not support that feature, log an error/warning and revert to 'need'
certificate authentication.
2. For the org.apache.tomcat.util.net.jsse.JSSE14* classes, change the
functionality to 'want' certificates instead of 'need' them. This gives
the application and container the ability to give the user an error if
they do not have a certificate instead of closing the socket and making
the browser show the 'Page can not be displayed' error. This would
change existing behavior and thus could be a really bad thing to do.
3. Make my own modifications and don't incorporate into the default
distribution.
Regards,
Mike Becker
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
108a109
> protected boolean clientAuth = false;
151c152
< configureClientAuth(asock);
---
> asock.setNeedClientAuth(clientAuth);
365,380d365
< * Configure Client authentication for this version of JSSE. The
< * JSSE included in Java 1.4 supports the 'want' value. Prior
< * versions of JSSE will treat 'want' as 'false'.
< * @param socket the SSLServerSocket
< */
< abstract protected void configureClientAuth(SSLServerSocket socket);
<
< /**
< * Configure Client authentication for this version of JSSE. The
< * JSSE included in Java 1.4 supports the 'want' value. Prior
< * versions of JSSE will treat 'want' as 'false'.
< * @param ssocket the SSLSocket
< */
< abstract protected void configureClientAuth(SSLSocket socket);
<
< /**
398c383
< configureClientAuth(socket);
---
> socket.setNeedClientAuth(clientAuth);
1203,1204c1203,1206
< IntrospectionUtils.setProperty(protocolHandler, "clientauth",
< "" + ssf.getClientAuth());
---
> if (ssf.getClientAuth()) {
> IntrospectionUtils.setProperty(protocolHandler, "clientauth",
> "" + ssf.getClientAuth());
> }
76,79c76
< * set to <code>true</code>. Want client authentication if set to
< * <code>want</code>. (Note: Only supported in the JSSE included with
< * J2SDK 1.4 and above. Prior versions of JSSE and PureTLS will treat
< * 'want' as 'false'.) [false]</li>
---
> * set to <code>true</code>. [false]</li>
120c117
< private String clientAuth = "false";
---
> private boolean clientAuth = false;
122c119
< public String getClientAuth() {
---
> public boolean getClientAuth() {
126c123
< public void setClientAuth(String clientAuth) {
---
> public void setClientAuth(boolean clientAuth) {
67d66
< import javax.net.ssl.SSLSocket;
89,90d87
< protected boolean clientAuth = false;
<
177,185d173
< }
< protected void configureClientAuth(SSLServerSocket socket){
< socket.setNeedClientAuth(clientAuth);
< }
< protected void configureClientAuth(SSLSocket socket){
< // In JSSE 1.0.2 docs it does not explicitly
< // state whether SSLSockets returned from
< // SSLServerSocket.accept() inherit this setting.
< socket.setNeedClientAuth(clientAuth);
71d70
< import javax.net.ssl.SSLSocket;
98,100d96
< protected boolean requireClientAuth = false;
< protected boolean wantClientAuth = false;
<
116,117c112
< requireClientAuth = Boolean.valueOf(clientAuthStr).booleanValue();
< wantClientAuth = "want".equalsIgnoreCase(clientAuthStr);
---
> clientAuth = Boolean.valueOf(clientAuthStr).booleanValue();
289,301d283
< protected void configureClientAuth(SSLServerSocket socket){
< if (requireClientAuth){
< socket.setNeedClientAuth(requireClientAuth);
< }
< if (wantClientAuth){
< socket.setWantClientAuth(wantClientAuth);
< }
< }
< protected void configureClientAuth(SSLSocket socket){
< // Per JavaDocs: SSLSockets returned from
< // SSLServerSocket.accept() inherit this setting.
< }
<
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
