On 2/19/10, Christopher Schultz <ch...@christopherschultz.net> wrote: > On 2/19/2010 1:48 AM, Jason Brittain wrote: >> Nope. clientAuth="false" means that the webapp's web.xml specifies which >> resources require the client certificate. > > Gotcha: I thought that "false" would cause the connector to ignore all > client cert info, while "want" would collect it but not process it, > while "true" would perform the checks for you. > > Instead, "false" and "want" are essentially the same (right?) and "true" > does the checks for you. If you have "want" or "false", plus a > <web-resource-collection> that demands CLIENT-AUTH, then it will be used > for identification purposes, but not actually checked against a valid > certificate chain. > > Do I have that right?
The behavior I see is this: "false" does not request the client certificate at all. "want" requests it, but allows the connection to go through if no client certificate is presented. "true" requires a client certificate and kills the connection if no client certificate (or an unacceptable one) is presented. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org