André Cruz wrote: > Hello. > > I have a specific page in my site that uses ssl client certificates for > authentication and the application itself does the cert validation. As > the rest of the site does not use them I have clientAuth="false" in my > connector otherwise the browsers keep asking for client certificates. > > I installed a custom security provider to accept all certificates and > built a Valve that requests a SSL renegotiation to try and get a > certificate:
Why not just set appropriate security constraints and get Tomcat to handle this for you (as per my example in bug 46950)? > req.getCoyoteRequest().action(ActionCode.ACTION_REQ_SSL_CERTIFICATE, > null); > > Using APR no certificate is requested from the client (probably because > of bug 46950). Yep. That needs to be fixed. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
