Re: Servlets and SSL!

David Brownell (David.Brownell@Eng)
Tue, 17 Feb 1998 08:39:25 -0800

Date: Tue, 17 Feb 1998 08:39:25 -0800
From: David.Brownell@Eng (David Brownell)
Message-Id: <199802171639.IAA15165@argon.eng.sun.com>
To: java-security@web1.javasoft.com, wplatzer@iaik.tu-graz.ac.at
Subject: Re: Servlets and SSL!

> From: "Wolfgang Platzer" <wplatzer@iaik.tu-graz.ac.at>
> Date: Tue, 17 Feb 1998 16:45:27 +0100
>
> Is it possible to get information about a SSL connection (cipher suite,
> certificate list) within an Servlet?

Absolutely. This relevant information is in the servlet API
documentation. Servlets can get a handle on the SSL session
object, from which these data may be directly derived, or may
get them directly. See the appended code snippet.

APIs (and an implementation) for the servlet standard extension
are available within the JDK 1.2 beta2 distribution, and APIs
(no implementation available outside of JavaSoft products, even
for the interface classes) for the SSL standard extension have
been made available through java.sun.com/jdc ... there was a
minor goof with the ZIP file for those javadocs, which should
be fixed by now.

- Dave

import javax.net.ssl.*;
import javax.security.cert.*;
import javax.servlet.http.*;

public class MyServlet extends HttpServlet {
...
public void doPost (
HttpServletRequest request,
HttpServletResponse response
) throws IOException, ServletException
{
if ("https".equals (request.getScheme ())) {
String cipherSuite;
X509Certificate certChain [];

cipherSuite = (String) request.getAttribute (
"javax.net.ssl.cipher_suite");
certChain = (X509Certificate []) request.getAttribute (
"javax.net.ssl.peer_certificates");

// OR:
SSLSession session;

session = (SSLSession) request.getAttribute (
"javax.net.ssl.session");
cipherSuite = session.getCipherSuite ();
certChain = session.getPeerCertificateChain ();

// ... then do with them as you will; if it's a weak
// flavor the key exchange will be export grade (search
// for "_EXPORT_" substring) or the encryption will be
// null (search for "_WITH_NULL_" substring).
}

...
}
...
}