servlet icon indicating copy to clipboard operation
servlet copied to clipboard
verified publisher icon jakartaee

Please add servlet request attribute for SSL/TLS protocol

Open glassfishrobot opened this issue 10 years ago • 10 comments

Since the early days of the servlet specification, the following request attributes have been provided to applications wishing to check the details of the remote user's SSL/TLS connection:

javax.servlet.request.cipher_suite javax.servlet.request.key_size javax.servlet.request.ssl_session_id javax.servlet.request.X509Certificate

It would also be nice to be able to see the SSL/TLS protocol (e.g. SSLv3, TLSv1, TLSv1.2, etc.).

I propose the following request attribute to be added to the specification and required by compliant containers:

javax.servlet.request.ssl_protocol (consistent with existing .ssl_* attribute names) or javax.servlet.request.tls_protocol (consistent with likely future protocols) or javax.servlet.request.secure_protocol (protocol-name agnostic)

The list of acceptable values should match the JVM's naming scheme for SSL/TLS protocol, but not be restricted to the protocols supported by the underlying Java Runtime Environment (in the event that a crypto provider other than JSSE – e.g. OpenSSL, etc. – is being used to provide the secure connection instead of the JRE).

The level-of-effort to modify the specification should be minimal, and the burden on container implementers should be similarly minimal, since the existing request attributes must already be populated in the request attributes, and the SSL/TLS protocol is readily available from the same source as the aforementioned attribute values.

glassfishrobot avatar Apr 08 '15 13:04 glassfishrobot

  • Issue Imported From: https://github.com/javaee/servlet-spec/issues/130
  • Original Issue Raised By:@glassfishrobot
  • Original Issue Assigned To: @glassfishrobot

glassfishrobot avatar Jun 06 '18 08:06 glassfishrobot

@glassfishrobot Commented Reported by christopherschultz

glassfishrobot avatar Apr 08 '15 13:04 glassfishrobot

@glassfishrobot Commented markt_asf said: +1

No strong perference on attribute name.

glassfishrobot avatar Apr 08 '15 21:04 glassfishrobot

@glassfishrobot Commented bluewolf said: +1

glassfishrobot avatar Apr 09 '15 00:04 glassfishrobot

@glassfishrobot Commented christopherschultz said: Almost a year with no feedback, the Servlet 4.0 grows ever closer. This seems like a very small and very useful request.

glassfishrobot avatar Mar 04 '16 01:03 glassfishrobot

@glassfishrobot Commented violetagg said: +1

glassfishrobot avatar May 09 '16 06:05 glassfishrobot

@glassfishrobot Commented This issue was imported from java.net JIRA SERVLET_SPEC-130

glassfishrobot avatar Apr 26 '17 06:04 glassfishrobot

@ChristopherSchultz Commented Pinging this issue again. It's trivial to add to the spec, and improves spec support for TLS in web applications.

glassfishrobot avatar Mar 17 '18 21:03 glassfishrobot

@logopk Commented +1

glassfishrobot avatar Mar 18 '18 09:03 glassfishrobot

I'm going to ping this issue once again. Seems trivial, and would be very helpful.

ChristopherSchultz avatar Sep 21 '21 12:09 ChristopherSchultz