Thank you so much Chris and Mark! Sincerely appreciate the inputs. Sent from my iPhone
> On Apr 11, 2018, at 8:16 AM, Christopher Schultz > <ch...@christopherschultz.net> wrote: > > Mark and Amit, > >> On 4/10/18 2:21 AM, Mark Thomas wrote: >>> On 9 April 2018 23:29:43 BST, Amit Pande <amit.pa...@veritas.com> wrote: >>> Some more debugging here and I got some stuff working here. >>> >>> Only one question: >>> >>> It is not really clear from the documentation of "clientAuth" >>> >>> "Set to true if you want the SSL stack to require a valid certificate >>> chain from the client before accepting a connection. Set to want if you >>> want the SSL stack to request a client Certificate, but not fail if one >>> isn't presented. A false value (which is the default) will not require >>> a certificate chain unless the client requests a resource protected by >>> a security constraint that uses CLIENT-CERT authentication. See the SSL >>> HowTo for an example. That SSL HowTo also contains tips on using >>> per-user or per-session certificate-based clientAuth." >>> >>> So, if I am using a clientAuth="false" and relying on "CLIENT-CERT" >>> configuration, does that mean browsers won't prompt users to supply the >>> certificate when a protected resource is accessed? >> >> In that scenario the browser will prompt the user for a certificate if >> everything is correctly configured. >> >> However, it is possible that the browser will determine that it has no >> matching certificates and therefore decide not to display the certificate >> prompt. > > Also, sometimes browsers will "remember" your choice from a prior > interaction during the same browser session. So for example if you have > clientAuth="want" and you press "No/Cancel/[escape]/[close window]" the > browser may "remember" that you don't want to present a certificate. > > -chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
