Thank you for the details provided. However, I think this just re-inforces my argument. In your example, your servlet is configured to use BASIC authentication, as well as requires a transport of CONFIDENTIAL (i.e. SSL.)
In your first attempt to use your client, your ssl is not configured to require the client to authenticate using certificate. In this case, the server accepts the client when creating an SSL session. However, the servlet still requires authentication. Since this has not been provided, 401 error is returned. Next, you set SSL connector to require the client to prove its identity via a certificate. At first this does not work because you have to tell the JVM of client to provide the certificate. After doing that, you end up is same situation as above. The client attempts to communicate with the server. The server requires SSL connection and requests from the client a certificate. The client provides the certificate. The server accepts the certificate and the SSL handshake proceeds. The result is a mutually trusted encrypted connection. Then the original request made by client starts to be processed by servlet container. The container determines that the request requires BASIC authentication. However, you have not provided this. So the container returns the 401 error. So, set up a client to negotiate BASIC authentication as well as providing certificates for SSL encryption and see what happens. If you still do not agree with me, then I am not sure what other arguments I can provide. In any case, thanks for the thoughtful discussion. later, cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3949344#3949344 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3949344 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
