https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
Summary: SSL renegotiation does not occur when resource with
CLIENT-CERT auth is requested
Product: Tomcat 6
Version: 6.0.18
Platform: PC
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: Servlet & JSP API
AssignedTo: [email protected]
ReportedBy: [email protected]
When a part of a webapp requires an SSL connection with a client certificate
there should be an SSL renegotiation to request a client certificate from the
browser.
This is the configuration I added to an webapp that already uses an SSL
connector:
<login-config id="LoginConfig_1">
<auth-method>CLIENT-CERT</auth-method>
<realm-name>WPS</realm-name>
</login-config>
<security-constraint id="SecurityConstraint_1">
<web-resource-collection id="WebResourceCollection_1">
<web-resource-name/>
<url-pattern>/LoginWithCert.do</url-pattern>
<http-method>DELETE</http-method>
<http-method>GET</http-method>
<http-method>POST</http-method>
<http-method>PUT</http-method>
<http-method>HEAD</http-method>
</web-resource-collection>
<user-data-constraint id="UserDataConstraint_4">
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
Requests to /LoginWithCert.do require an SSL connection, if there isn't one,
but no client certificate is requested.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
