1 Reply Latest reply on Nov 6, 2001 10:05 AM by J. Wolfgang Kaltz

    Client authenticated SSL with Apache and embedded Tomcat

    Max Johnson Newbie

      I've posted this question to the servlet-jsp forum but it mat be more appropriate to security:

      I have configured Apache/mod_ssl to request client certificates for authentication. Using mod_jk, ajp13 workers and vanilla Tomcat 3.2.3 I can extract the client cert details from a servlet or JSP. (e.g. Calling request.getAttribute("javax.servlet.request.X509Certificate") returns the client's cert details as I expect).

      However, if I change to Tomcat embedded into JBoss it stops working. The informations does not appear to be passed through. I have declared the AJP13 connection handler in server.xml and pages are served just fine. However, calling request.getAttribute("javax.servlet.request.X509Certificate") returns null when it shouldn't!

      Any pointers as to what's going wrong would be very much appreciated.


        • 1. Re: Client authenticated SSL with Apache and embedded Tomcat
          J. Wolfgang Kaltz Novice

          Interesting ... I'm not exactly sure, but I guess the main difference is, using standalone Tomcat it is Tomcat receiving the call and you have the request details; using the embedded Tomcat it's actually JBoss receiving and handling the call, and it seems to lose some request details before passing it on to the embedded Tomcat. Perhaps you might consider looking in the JBoss source code how the request interceptor (should be called something like this) works and where a loss of information might occur. From what I've seen so far, the JBoss source code is actually quite easy and interesting to read.