Hello guys, I'm currently facing an issue with the BaseAuthenticator. Before opening a issue on the bug tracker, I'd like to get your opinion guys.
The use case is simple: use an HTTPS tomcat connector with mutual authentication (CLIENT-CERT). It does not involve at all any front serveur like Apache HTTPD. Everything works fine until you want to add the SSLAuthenticator valve with the preemptive mode. At the end of the invoke method (AuthenticatorBase), the presence of the X509 certificate is checked under the usual key (ie. request.getAttribute(Globals.CERTIFICATES_ATTR)). This works fine when using an Apache HTTPD front, but does not work with tomcat SSL connectors cause the request is not populated. If you check the Authenticate of the SSLAuthenticator that should be invoke is a certificate is found, if nothing is found in the request under the usual key, the following is done before trying again request.getCoyoteRequest().action(ActionCode.REQ_SSL_CERTIFICATE, null); Roughly and simply speaking, the certificat is going to be extracted from the coyote request and the entry in the HTTP request is populated. I'm wondering why it's not done also in the AuthenticatorBase? It makes it impossible to use the preemptive mode with the SSLAuthenticator valve. I think creating a getRequestCertificate() method in the AuthenticatorBase that wraps up the logic of calling or not the coyote request would do the trick. Then it's just a matter of using it in the invoke method (AuthenticatorBase) or in the authenticate (SSLAuthenticator). Feedback welcome so that I can create a JIRA and submit a patch if you want. -- Jean-Louis
