Hi, Bill:
Sorry for getting back a bit late. I was trying to track
down the exact spec for the claim I am about to make. But
the JSSE contact person is not available today.
I took a look at the changes you made in the coyote connector,
it seems to me that the implementation there still does
Hi, Bill:
Thanx for the comments. Please see the following.
Can someone start the Tomcat server with clientAuth=false, but access
a URI that is protected by CLIENT-CERT? If yes, then I think a
re-handshake is a must.
But using CertificatesValve to accomplish this is the wrong way to do
1. Tomcat has enough information to determine the incoming
request is intended for a Context that requires the
client-cert authentication
True. However it is unnecessary to do it for the entire Context. It is
only necessary for the pages that require authentication.
Yes!
Hi, Bill:
I have a question regarding your comment on the CertificatesValve should
not be used any more...
My understanding of how the CertificatesValve is used is following:
1. The clientAuth attribute in server.xml only determines whether
the Tomcat server by default will require client
