https://issues.apache.org/bugzilla/show_bug.cgi?id=46950
--- Comment #5 from Mark Thomas <ma...@apache.org> 2009-04-15 04:38:10 PST --- (In reply to comment #4) > What works for you? The security constraint and login configuration I posted which requires SSL for the entire context but only requires user authentication for a single JSP. If I browse to any resource except the one that requires auth using http I get switched to https as expected. If I then request the protected resource I get prompted for my certificate. > Did you even read what I said? Yes I did. Quite carefully. Taking that attitude is not going to induce people to help you. > How can the browser know if a server trusts a certain certificate or not > without even asking for it? This is the way the SSL handshake works. The server provides a client with a list of trusted certs. If the client doesn't have a user cert issued by one of the trysted certs the client doesn't waste time prompting the user to select one. > Let me explain the problem better. > > Most of my site runs without client cert checking, so I have > SSLVerifyClient="none" on the connector. That is new information. Your original bug report made no mention of using the APR/native connector. I'd expect the behaviour to remain the same but I'll re-test with the native and see. -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org