My question rises from the fact that client is authenticated against a principal retrieved from the public certificate that the browser send in response to ObjectCallabck. Is it possible that a user could send this certificate even when he's not the real certifcate owner? I remember that security is based on digital sign of random hash sent by server and verified on server against the public certificate stored a in java store. But I cannot find this feature in the sources that manage client authentication in Jboss 4.0.3SP1 release.
Any suggestion will be appreciated. thanks in advance F View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3925652#3925652 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3925652 ------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user