tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ken Sims" <>
Subject org.apache.catalina.authenticator.SSLAutheticator
Date Mon, 08 Nov 2004 16:25:59 GMT
I am curious why SSLAuthenticator does not/cannot compare some attribute
of the client cert with the remote address (requestor)?  Without such a
check, it seems to me that certificates are as easily shared as the
credentials used in basic authentication.

Also, why do the realm implementations always return null for
getPrincipal?  Couldn't they lookup the user on the  users database,
ignoring password, to establish authorized roles?

The combination of these two things seems to me to really limit the
usefulness of client certificate authentication because authentication
provides little guarantee of who the client is, and even if it did, the
client is denied access to any protected resources.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message