get-client-cert (Sun Java System Web Server 7.0 Update 2 Administrator's Configuration File Reference)

Sun Java System Web Server 7.0 Update 2 Administrator's Configuration File Reference

get-client-cert

The get-client-cert function gets the authenticated client certificate from the SSL3 session. It can apply to all HTTP methods, or only to those that match a specified pattern. It only works when SSL is enabled on the server.

If the certificate is present or obtained from the SSL3 session, the function returns REQ_NOACTION and allows the request to proceed. Otherwise, it returns REQ_ABORTED and sets the protocol status to 403 forbidden, causing the request to fail.

Parameters

The following table describes parameters for the get-client-cert function.

Table 7–24 get-client-cert Parameters


Parameter	Description
`dorequest`	(Optional) Controls whether to actually get the certificate, or just test for its presence. `1` tells the function to redo the SSL3 handshake to get a client certificate, if the server does not already have the client certificate. This typically causes the client to present a dialog box to the user to select a client certificate. The server might already have the client certificate if it was requested on the initial handshake, or if a cached SSL session has been resumed. `0` tells the function not to redo the SSL3 handshake if the server does not already have the client certificate. If a certificate is obtained from the client and verified successfully by the server, the ASCII base 64 encoding of the DER-encoded X.509 certificate is placed in the parameter `auth-cert` in the `Request->vars` pblock, and the function returns `REQ_PROCEED`, allowing the request to proceed. The default value is `0`.
`require`	(Optional) Controls whether failure to get a client certificate will abort the HTTP request. `1` tells the function to abort the HTTP request if the client certificate is not present after `dorequest` is handled. In this case, the HTTP status is set to `PROTOCOL_FORBIDDEN`, and the function returns `REQ_ABORTED`. `0` tells the function to return `REQ_NOACTION` if the client certificate is not present after `dorequest` is handled. The default value is `1`.
`method`	(Optional) Specifies a wildcard pattern for the HTTP methods for which the function will be applied. If `method` is absent, the function is applied to all requests.
`bucket`	(Optional) Common to all `obj.conf` functions. Adds a bucket to monitor performance. For more information, see The bucket Parameter.

Example

# Get the client certificate from the session. 
# If a certificate is not already associated with the session, request one.
# The request fails if the client does not present a 
#valid certificate.
PathCheck fn="get-client-cert" dorequest="1"