Project

General

Profile

Feature #1706

Expose method sslInfo() on class Wt::Http::Request

Added by Anonymous over 7 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Start date:
02/17/2013
Due date:
% Done:

0%

Estimated time:

Description

I'm working a project that utilizes RESTful URLs for Peer-to-peer communication. As the system is autonomous,

each node has its own certificate and authenticates bi-directionally via ssl connections. The internal state and inter-node

communication will be reflected back to each Peer operator through Wt's awesome dynamic web interface.

However, I'm having trouble getting access to the ssl client certificate. This is my first Wt project so consider me a noob.

I've searched the forums and this issue appears to have been discussed and partially implemented.

The class Wt::WebRequest defines the accessor method sslInfo()

/*

  • Returns \c 0 if the request does not have SSL client certificate
  • information. When sslInfo() does return a pointer, the ownership of the
  • pointer is transferred to the caller, which must delete it.
    */
    virtual WSslInfo *sslInfo() const = 0;

However, the class Wt::Http::Request which wrappers Wt::WebRequest does not expose the sslInfo() accessor.

Could sslInfo() be added to the Wt::Http::Request interface in the next release? Something like:

WSslInfo *Request::sslInfo() const

{

return request_ ? request_->sslInfo() : 0;

}

Without the accessor it appears impossible to access the client ssl certificate from a Wt Static Resource.

Thanks for your help!

Bob


Files

patch (3.31 KB) patch Wim Dumon, 03/05/2013 05:56 PM
#1

Updated by Wim Dumon over 7 years ago

  • Assignee set to Wim Dumon

That is indeed a useful extension for static resources.

Client certificates can currently be queried through the WEnvironment object, which returns the certificate used at the time that the session was created. For non-static resources, there is probably no need to further authenticate the user (under the assumption that the session token does not leak). But for static resources, there is no session, so there is no alternative method of authentication.

My suggested implementation is to query the WSslInfo from the WebRequest in the Request constructor, delete it in the destructor, and return it in a 'sslInfo()' method (similar to WEnvironment). Behaviour is the same for static and session-bound WResources.

Comments?

#2

Updated by Bob Way over 7 years ago

Thanks for looking into this Wim! Your proposed implementation is what I had in mind. However, I think it might be even easier than you suggest.

Since Wt::Http::Request encapsulates Wt::WebRequest through the request_ member variable, I don't think there is any need to actually copy WSslInfo during the construction phase. It can simply be returned by reference from the encapsulated WebRequest.

I am a noob however and I didn't go through every line of the source. If the lifetimes of WebRequest and Http::Request are different then yours of course is the correct solution.

Thanks for the help,

Bob

#3

Updated by Wim Dumon over 7 years ago

Can you test the patch in attachment and let me know if it works as expected?

BR,

Wim.

#4

Updated by Bob Way over 7 years ago

Will do. Thanks!

I'm a bit behind my personal schedule so it will take a couple of days.

#5

Updated by Wim Dumon over 7 years ago

  • Status changed from New to Resolved
  • Target version set to 3.3.0

Change will be in 3.3.0

#6

Updated by Koen Deforche over 7 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF