tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lira, Alesio" <l...@ediguay.com.uy>
Subject RE: Difficulty with SSL authentication without client certificate
Date Thu, 27 Nov 2003 17:31:17 GMT
After all, there is a solution installing Apache and configuring certificates as optional....
But there must be a Tomcat alone solution.

> -----Mensaje original-----
> De:	Lira, Alesio 
> Enviado el:	jueves 27 de noviembre de 2003 11:17
> Para:	Tomcat Users List
> Asunto:	RE: Difficulty with SSL authentication without client certificate
> 
> The most usual case that this behavior of tomcat is a nuissance, is when you wish to
accept a SSL session; but if there is no client certificate, go ahead but with some functionality
excluded. In my case, I give more sensitive information if a client certificate is present.
Trapping the Error 400 (bad request), doesn't gives me the behavior I want. 
> I don't think that an absence of client certificate is a bug. Think you of accessing
in a hurry a secure site from a hotel bussines service because your laptop is kaput... I will
not import my certificate into a machine that is used by anyone unkown. But if the secure
service recognizes you ( but with lesser power ) because you don't give a certificate and
let you go forward; that is what i want.
> 
> > -----Mensaje original-----
> > De:	Bill Barker [SMTP:wbarker@wilshire.com]
> > Enviado el:	jueves 27 de noviembre de 2003 4:21
> > Para:	tomcat-user@jakarta.apache.org
> > Asunto:	Re: Difficulty with SSL authentication without client certificate
> > 
> > For what you want, I'd probably go with a Filter that stores the Principal
> > under a "well-known-name" for use by the Servlet.  For Container level
> > security, it is clearly an error if the client won't provide a client-cert.
> > 
> > Note:  I consider that the fact that you are getting any response at all to
> > be a bug (which I plan to look into;).  If the client doesn't provide a
> > cert, then the connection should be rudely terminated.
> > 
> > "Lira, Alesio" <lira@ediguay.com.uy> wrote in message
> > news:F40C3FBEC6EC5B47A8CA30B44CABF54D01F62401@excesa01.ediguay.com.uy...
> > Hello there.
> > 
> > I've tried to configure a security realm for pages; that if a user
> > certificate is present it will be used, but if it doesn't exist the
> > application will resolve the situation with the user authentication level
> > already known.
> > After wrestling with the web.xml parameters and defining a user realm; I
> > have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is
> > never ever given to the user realm defined. So, I turned into the source
> > code.
> > 
> > 
> > In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've
> > found this :
> > 
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> > 

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message