Client authenticated SSL with Apache and embedded Tomcat

maximus Nov 5, 2001 1:26 PM

I have configured Apache/mod_ssl to request client certificates for authentication. Using mod_jk, ajp13 workers and vanilla Tomcat 3.2.3 I can extract the client cert details from a servlet or JSP. (e.g. Calling request.getAttribute("javax.servlet.request.X509Certificate") returns the client's cert details as I expect).

However, if I change to Tomcat embedded into JBoss it stops working. The informations does not appear to be passed through. I have declared the AJP13 connection handler in server.xml and pages are served just fine. However, calling request.getAttribute("javax.servlet.request.X509Certificate") returns null when it shouldn't!

Any pointers as to what's going wrong would be very much appreciated.

Regards
Max

1. Re: Client authenticated SSL with Apache and embedded Tomcat

ofer May 8, 2002 8:40 PM (in response to maximus)

Hello Maximus, i know ur post is old but it is the only one i have found on this forum that matches the exact same problem. i now know that ssl is not possible w/ catalina403 and jboss244 because the http connector for port 8443 to run ssl in server.xml is ignored or not implemented. however i am willing to run catalina and jboss standalone. tomcat runs ok and jboss runs ok but the autodeployer complains that there is no web container available. any and all direction will be greatly appreciated. thanx, david brown. www.webitplanet.com
Actions
2. Re: Client authenticated SSL with Apache and embedded Tomcat

yanikc Jun 19, 2002 3:36 PM (in response to maximus)

I work on SSL client certificate authentication. I have scanned the Tomcat (3.x) and Jetty (embeded with JBoss 3.x) source code to discover that neither implements the CLIENT-CERT auth-method.

I plan to submit a patch to solve this (unless someone tells me that Tomcat 4.x has solved that issue) as well as a patch for non-web client side Security Interceptor.

If someone has clues, suggestion or remarks, I would appreciate your input.

Yanik
ycrepeau@exScriptis.com
Montréal QC
Actions
3. Re: Client authenticated SSL with Apache and embedded Tomcat

pcolot Jun 26, 2002 6:31 PM (in response to maximus)

I used Tomcat4 / jboss3 / jdk 1.4 with SSL client and server certificate to identify.

I just reply to a similar request on http://www.jboss.org/modules/bb/index.html?module=bb&op=viewtopic&t=forums/ this is going to help

PCO
Actions

Go to original post