I am planning to use certificate-based authentication of client in web application. Now I need a way to get information from certificate supplied by client.
How do I do that on server-side? I think that servlet container (Tomcat) whould validate certificates and fill out Principal in HttpServletRequest.getUserPrincipal
Is there something else to consider?
I do this with Apache + Tomcat. Apache can create CGI variables for the cert data with the SSLOptions:
SSLOptions +ExportCertData
Tomcat adds that data to all request attributes, you can obtain it using:
X509Certificate x509[] = (X509Certificate[])
request.getAttribute("javax.servlet.request.X509Certificate");
I don't know how Tomcat handles client certs on its own, but this way it works reliable.