[foaf-protocols] FOAF+SSL: Simple Recipe to Create X.509 Client Certificates in PHP
Bruno Harbulot
Bruno.Harbulot at manchester.ac.uk
Wed Jan 28 01:20:04 CET 2009
Bruno Harbulot wrote:
> Hello,
>
> Story Henry wrote:
>> On 5 Jan 2009, at 16:14, Dirk-Willem van Gulik wrote:
>>
>>> Bruno Harbulot wrote:
>>>
>>>> I don't know how to make this re-negotiation happen in a Java Servlet
>>>> container. I'm not sure if the Servlet specification allows for this
>>>> mechanism (I haven't found anything). For this reason, I find making the
>>>> cert request optional easier.
>>> As far as I can see (after playing with it for a few minutes) - it
>>> works splendidly, with BouncyCastle, the SUN ones and if you have
>>> apache httpd
>>> sitting in front of it. In each case things like requesting the
>>> Principal start then returning valid info.
>> Dw, could you explain for us novices how you did this?
>
> I hadn't actually tried, but this works indeed. The behaviour differs
> depending on the container. I couldn't get it to work with
> Glassfish+Grizzly (and subsequently reported a Grizzly bug), but the
> Coyote-based containers (Tomcat, Glassfish, ...) seem to support
> re-negotiation quite well (not Jetty as far as I've seen, I haven't been
> able to find the time to investigate this further).
> In Coyote, there's a call to SSLSocket.startHandshake() (which requests
> a new handshake, requesting a client certificate) triggered when trying
> to obtain a client certificate when one hasn't been found.
I forgot to add that you still need to configure a CLIENT-CERT login for
this to work. I've tried this with Tomcat 6, and it works:
<web-app>
<display-name>Test Webapp</display-name>
<security-constraint>
<web-resource-collection>
<web-resource-name>Test</web-resource-name>
<url-pattern>/</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>*</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Test Realm</realm-name>
</login-config>
<security-role>
<role-name>*</role-name>
</security-role>
</web-app>
Then, request.getAttribute("javax.servlet.request.X509Certificate");
should be populated with the chain of client certificates.
Best wishes,
Bruno.
More information about the foaf-protocols
mailing list