Feature #1706
closedExpose method sslInfo() on class Wt::Http::Request
Description
I'm working a project that utilizes RESTful URLs for Peer-to-peer communication. As the system is autonomous,
each node has its own certificate and authenticates bi-directionally via ssl connections. The internal state and inter-node
communication will be reflected back to each Peer operator through Wt's awesome dynamic web interface.
However, I'm having trouble getting access to the ssl client certificate. This is my first Wt project so consider me a noob.
I've searched the forums and this issue appears to have been discussed and partially implemented.
The class Wt::WebRequest defines the accessor method sslInfo()
/*
- Returns \c 0 if the request does not have SSL client certificate
- information. When sslInfo() does return a pointer, the ownership of the
- pointer is transferred to the caller, which must delete it.
*/
virtual WSslInfo *sslInfo() const = 0;
However, the class Wt::Http::Request which wrappers Wt::WebRequest does not expose the sslInfo() accessor.
Could sslInfo() be added to the Wt::Http::Request interface in the next release? Something like:
WSslInfo *Request::sslInfo() const
{
return request_ ? request_->sslInfo() : 0;
}
Without the accessor it appears impossible to access the client ssl certificate from a Wt Static Resource.
Thanks for your help!
Bob
Files
Updated by Wim Dumon over 11 years ago
- Assignee set to Wim Dumon
That is indeed a useful extension for static resources.
Client certificates can currently be queried through the WEnvironment object, which returns the certificate used at the time that the session was created. For non-static resources, there is probably no need to further authenticate the user (under the assumption that the session token does not leak). But for static resources, there is no session, so there is no alternative method of authentication.
My suggested implementation is to query the WSslInfo from the WebRequest in the Request constructor, delete it in the destructor, and return it in a 'sslInfo()' method (similar to WEnvironment). Behaviour is the same for static and session-bound WResources.
Comments?
Updated by Bob Way over 11 years ago
Thanks for looking into this Wim! Your proposed implementation is what I had in mind. However, I think it might be even easier than you suggest.
Since Wt::Http::Request encapsulates Wt::WebRequest through the request_ member variable, I don't think there is any need to actually copy WSslInfo during the construction phase. It can simply be returned by reference from the encapsulated WebRequest.
I am a noob however and I didn't go through every line of the source. If the lifetimes of WebRequest and Http::Request are different then yours of course is the correct solution.
Thanks for the help,
Bob
Updated by Bob Way over 11 years ago
Will do. Thanks!
I'm a bit behind my personal schedule so it will take a couple of days.
Updated by Wim Dumon over 11 years ago
- Status changed from New to Resolved
- Target version set to 3.3.0
Change will be in 3.3.0
Updated by Koen Deforche over 11 years ago
- Status changed from Resolved to Closed