tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Qingqing Ouyang <>
Subject Re: cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net
Date Fri, 20 Sep 2002 18:53:44 GMT
Hi, Bill:

Thanx for the comments.  Please see the following.

>>Can someone start the Tomcat server with clientAuth=false, but access
>>a URI that is protected by CLIENT-CERT?  If yes, then I think a
>>re-handshake is a must.
> But using CertificatesValve to accomplish this is the wrong way to do it.
> Catalina has no good reason to know or care what transport the request was
> received on.  It's the connector's job to take care of that.
> It looks like we may need another Action to handle this case (probably
> invoked by the Realm).  Comments?

Okay, that is where my ignorance kicks in. ;-)

I agree that Catalina does not have to know/care about what
transport the request is received on.  The logical place for
this to happen is somewhere:

1. Tomcat has enough information to determine the incoming
    request is intended for a Context that requires the
    client-cert authentication

2. Tomcat also has to have the handle on the specific
    transport mechanism to force this second handshake with
    the client.

3. The certificate information also has to be populated with
    the Request object for further authorization calls...

Does that sound right?

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message