tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Williams" <>
Subject SSL Client authentication woes
Date Wed, 01 Oct 2003 15:13:14 GMT
My setup:
Windows XP Pro
JDK 1.4.1

I'm hoping to get SSL client authentication working for web services.  I set
up Tomcat for SSL ages ago and it works fine.  However, I run into multiple
problems when I attempt to use SSL client authentication.

I have enabled client authentication by changing the value of "clientAuth"
in server.xml to true.  I removed all <security-constraint> and
<login-config> entries from my web.xml as they didn't appear to have any
effect (question: am I right to do so?  I've done my research on the web and
there are no consistent instructions for what to do).

When I access https://localhost:8443/ in Internet Explorer, I get notified
that a private key is being used and the server home page displays fine.
However, when I first access the page, the following stack trace appears on
Tomcat's console:

     PoolTcpEndpoint: Handshake failed Remote host closed connection
during handshake
     Caused by: SSL peer shut down incorrectly
         ... 7 more
     ThreadPool: Caught exception executing, terminating thread

Does anybody know what the problem is here?

The second thing is, I want to know who's accessing pages and web services.
That's the whole point of authentication, right?  However, when SSL client
authentication is in force, the following calls all return null:


This seems most bizarre.  At some point these calls must return non-null
values as they are used in
org.apache.catalina.authenticator.SSLAuthenticator.  Does anybody know
whether there are any server settings to make these calls return the correct

Ideally, I would like to have just one or two URL-patterns protected by SSL,
like you do with HTTP authentication rather than it being all or nothing.
Is this possible with Tomcat?

Kind regards,

Chris Williams.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message