The most usual case that this behavior of tomcat is a nuissance, is when you wish to accept a SSL session; but if there is no client certificate, go ahead but with some functionality excluded. In my case, I give more sensitive information if a client certificate is present. Trapping the Error 400 (bad request), doesn't gives me the behavior I want. I don't think that an absence of client certificate is a bug. Think you of accessing in a hurry a secure site from a hotel bussines service because your laptop is kaput... I will not import my certificate into a machine that is used by anyone unkown. But if the secure service recognizes you ( but with lesser power ) because you don't give a certificate and let you go forward; that is what i want.
> -----Mensaje original----- > De: Bill Barker [SMTP:[EMAIL PROTECTED] > Enviado el: jueves 27 de noviembre de 2003 4:21 > Para: [EMAIL PROTECTED] > Asunto: Re: Difficulty with SSL authentication without client certificate > > For what you want, I'd probably go with a Filter that stores the Principal > under a "well-known-name" for use by the Servlet. For Container level > security, it is clearly an error if the client won't provide a client-cert. > > Note: I consider that the fact that you are getting any response at all to > be a bug (which I plan to look into;). If the client doesn't provide a > cert, then the connection should be rudely terminated. > > "Lira, Alesio" <[EMAIL PROTECTED]> wrote in message > news:[EMAIL PROTECTED] > Hello there. > > I've tried to configure a security realm for pages; that if a user > certificate is present it will be used, but if it doesn't exist the > application will resolve the situation with the user authentication level > already known. > After wrestling with the web.xml parameters and defining a user realm; I > have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is > never ever given to the user realm defined. So, I turned into the source > code. > > > In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've > found this : > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] >