tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: cvs commit: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net
Date Sat, 21 Sep 2002 09:27:13 GMT
Qingqing Ouyang wrote:
> Hi, Bill:
> Thanx for the comments.  Please see the following.
>>> Can someone start the Tomcat server with clientAuth=false, but access
>>> a URI that is protected by CLIENT-CERT?  If yes, then I think a
>>> re-handshake is a must.
>> But using CertificatesValve to accomplish this is the wrong way to do it.
>> Catalina has no good reason to know or care what transport the request 
>> was
>> received on.  It's the connector's job to take care of that.
>> It looks like we may need another Action to handle this case (probably
>> invoked by the Realm).  Comments?
> Okay, that is where my ignorance kicks in. ;-)
> I agree that Catalina does not have to know/care about what
> transport the request is received on.  The logical place for
> this to happen is somewhere:
> 1. Tomcat has enough information to determine the incoming
>    request is intended for a Context that requires the
>    client-cert authentication
> 2. Tomcat also has to have the handle on the specific
>    transport mechanism to force this second handshake with
>    the client.
> 3. The certificate information also has to be populated with
>    the Request object for further authorization calls...

We can have the current certificate valve send an action to the Coyote 
layer, which would then update the appropriate attributes.
I think some new method is needed in SSLSupport.


To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message