My setup: Windows XP Pro JDK 1.4.1 JWSDP 1.0 I'm hoping to get SSL client authentication working for web services. I set up Tomcat for SSL ages ago and it works fine. However, I run into multiple problems when I attempt to use SSL client authentication.
I have enabled client authentication by changing the value of "clientAuth" in server.xml to true. I removed all <security-constraint> and <login-config> entries from my web.xml as they didn't appear to have any effect (question: am I right to do so? I've done my research on the web and there are no consistent instructions for what to do). When I access https://localhost:8443/ in Internet Explorer, I get notified that a private key is being used and the server home page displays fine. However, when I first access the page, the following stack trace appears on Tomcat's console: PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake ... Caused by: java.io.EOFException: SSL peer shut down incorrectly at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) ... 7 more ThreadPool: Caught exception executing [EMAIL PROTECTED], terminating thread java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:512) ... Does anybody know what the problem is here? The second thing is, I want to know who's accessing pages and web services. That's the whole point of authentication, right? However, when SSL client authentication is in force, the following calls all return null: request.getUserPrincipal() request.getRemoteUser() request.getAttribute("javax.servlet.request.X509Certificate") request.getAttribute("org.apache.coyote.request.X509Certificate") This seems most bizarre. At some point these calls must return non-null values as they are used in org.apache.catalina.authenticator.SSLAuthenticator. Does anybody know whether there are any server settings to make these calls return the correct values? Ideally, I would like to have just one or two URL-patterns protected by SSL, like you do with HTTP authentication rather than it being all or nothing. Is this possible with Tomcat? Kind regards, Chris Williams. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]