Bug 40524

Summary: request.getAuthType() returns different string from HttpServletRequest.CLIENT_CERT_AUTH
Product: Tomcat 5 Reporter: Dario Andrade <dario>
Component: Servlet & JSP APIAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: major    
Priority: P2    
Version: 5.5.12   
Target Milestone: ---   
Hardware: Other   
OS: Windows XP   
Attachments: Fix for CLIENT_CERT/CLIENT-CERT mismatch

Description Dario Andrade 2006-09-16 01:49:08 UTC 
using inspect:

request.getAuthType()
  (java.lang.String) CLIENT-CERT
	 
HttpServletRequest.CLIENT_CERT_AUTH
   (java.lang.String) CLIENT_CERT

api says they should be the same object (== should work)
Comment 1 Chris Halstead 2007-01-11 11:46:19 UTC 
Created attachment 19396 [details]
Fix for CLIENT_CERT/CLIENT-CERT mismatch

The auth-methodType value 'CLIENT-CERT' is defined in the web-app DTDs and
XSDs, but HttpServletRequest.java uses 'CLIENT_CERT'.  The Tomcat internal
Request class correctly uses 'CLIENT-CERT'.  This patch fixes
HttpServletRequest to match the descriptor definition.
Comment 2 Mark Thomas 2007-01-13 19:48:41 UTC 
-1 for this patch.

As per the spec:
CLIENT-CERT is for use in web.xml
CLIENT_CERT is the value of HttpServletRequest.CLIENT_CERT_AUTH and should be
returned by HttpServletRequest.getAuthType()

The bug that needs to be fixed is that HttpServletRequest.getAuthType() should
return CLIENT_CERT rather than CLIENT-CERT
Comment 3 Mark Thomas 2007-01-14 07:30:24 UTC 
I have committed an alternative fix. It will be in 5.5.21 onwards.