Hello,In the platform I am currently working on, we have to set up tomcat to require client certificate authentication. The main difference from the standard settings as described in (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) is that we wish to accept any client certificates, including self-signed ones.
The main reason for that is that we perform a second verification on the application layer as our truststore is dynamic.
We have a JAASRealm class extension which basically extends the hasResourcePermission method setting it to always return true. Bellow you can see the configuration we added to the server.xml <Realm className="com.privasphere.privalope.security.auth.ClientCertInAppRealm" debug="99"/>
Nevertheless, I believe this method is only called after the initial handshake and after the client certificate has been accepted or refused (this is a guess). In addition, I am not entirely sure of what I should put in the "truststoreFile" property. As we want to accept all certificates this file would probably be empty.
Any suggestions or best practices for this problem? Best regards, Luciana Moreira ---------- This message has been signed by the PrivaSphere Mail Signature Service.
smime.p7s
Description: S/MIME cryptographic signature
