Tomcat doesn't currently have a clientAuth="want" option. Yes, it's on my to-do list someplace, but you could move it up a lot by submitting a patch ;-).
"Lira, Alesio" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] After all, there is a solution installing Apache and configuring certificates as optional.... But there must be a Tomcat alone solution. > -----Mensaje original----- > De: Lira, Alesio > Enviado el: jueves 27 de noviembre de 2003 11:17 > Para: Tomcat Users List > Asunto: RE: Difficulty with SSL authentication without client certificate > > The most usual case that this behavior of tomcat is a nuissance, is when you wish to accept a SSL session; but if there is no client certificate, go ahead but with some functionality excluded. In my case, I give more sensitive information if a client certificate is present. Trapping the Error 400 (bad request), doesn't gives me the behavior I want. > I don't think that an absence of client certificate is a bug. Think you of accessing in a hurry a secure site from a hotel bussines service because your laptop is kaput... I will not import my certificate into a machine that is used by anyone unkown. But if the secure service recognizes you ( but with lesser power ) because you don't give a certificate and let you go forward; that is what i want. > > > -----Mensaje original----- > > De: Bill Barker [SMTP:[EMAIL PROTECTED] > > Enviado el: jueves 27 de noviembre de 2003 4:21 > > Para: [EMAIL PROTECTED] > > Asunto: Re: Difficulty with SSL authentication without client certificate > > > > For what you want, I'd probably go with a Filter that stores the Principal > > under a "well-known-name" for use by the Servlet. For Container level > > security, it is clearly an error if the client won't provide a client-cert. > > > > Note: I consider that the fact that you are getting any response at all to > > be a bug (which I plan to look into;). If the client doesn't provide a > > cert, then the connection should be rudely terminated. > > > > "Lira, Alesio" <[EMAIL PROTECTED]> wrote in message > > news:[EMAIL PROTECTED] > > Hello there. > > > > I've tried to configure a security realm for pages; that if a user > > certificate is present it will be used, but if it doesn't exist the > > application will resolve the situation with the user authentication level > > already known. > > After wrestling with the web.xml parameters and defining a user realm; I > > have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is > > never ever given to the user realm defined. So, I turned into the source > > code. > > > > > > In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've > > found this : > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
