tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lira, Alesio" <>
Subject RE: Difficulty with SSL authentication without client certificate
Date Thu, 27 Nov 2003 14:16:45 GMT
The most usual case that this behavior of tomcat is a nuissance, is when you wish to accept
a SSL session; but if there is no client certificate, go ahead but with some functionality
excluded. In my case, I give more sensitive information if a client certificate is present.
Trapping the Error 400 (bad request), doesn't gives me the behavior I want. 
I don't think that an absence of client certificate is a bug. Think you of accessing in a
hurry a secure site from a hotel bussines service because your laptop is kaput... I will not
import my certificate into a machine that is used by anyone unkown. But if the secure service
recognizes you ( but with lesser power ) because you don't give a certificate and let you
go forward; that is what i want.

> -----Mensaje original-----
> De:	Bill Barker []
> Enviado el:	jueves 27 de noviembre de 2003 4:21
> Para:
> Asunto:	Re: Difficulty with SSL authentication without client certificate
> For what you want, I'd probably go with a Filter that stores the Principal
> under a "well-known-name" for use by the Servlet.  For Container level
> security, it is clearly an error if the client won't provide a client-cert.
> Note:  I consider that the fact that you are getting any response at all to
> be a bug (which I plan to look into;).  If the client doesn't provide a
> cert, then the connection should be rudely terminated.
> "Lira, Alesio" <> wrote in message
> Hello there.
> I've tried to configure a security realm for pages; that if a user
> certificate is present it will be used, but if it doesn't exist the
> application will resolve the situation with the user authentication level
> already known.
> After wrestling with the web.xml parameters and defining a user realm; I
> have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is
> never ever given to the user realm defined. So, I turned into the source
> code.
> In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've
> found this :
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message