tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Difficulty with SSL authentication without client certificate
Date Sun, 30 Nov 2003 05:50:13 GMT
Tomcat doesn't currently have a clientAuth="want" option.  Yes, it's on my
to-do list someplace, but you could move it up a lot by submitting a patch
;-).

"Lira, Alesio" <lira@ediguay.com.uy> wrote in message
news:F40C3FBEC6EC5B47A8CA30B44CABF54D01F62404@excesa01.ediguay.com.uy...
After all, there is a solution installing Apache and configuring
certificates as optional.... But there must be a Tomcat alone solution.

> -----Mensaje original-----
> De: Lira, Alesio
> Enviado el: jueves 27 de noviembre de 2003 11:17
> Para: Tomcat Users List
> Asunto: RE: Difficulty with SSL authentication without client certificate
>
> The most usual case that this behavior of tomcat is a nuissance, is when
you wish to accept a SSL session; but if there is no client certificate, go
ahead but with some functionality excluded. In my case, I give more
sensitive information if a client certificate is present. Trapping the Error
400 (bad request), doesn't gives me the behavior I want.
> I don't think that an absence of client certificate is a bug. Think you of
accessing in a hurry a secure site from a hotel bussines service because
your laptop is kaput... I will not import my certificate into a machine that
is used by anyone unkown. But if the secure service recognizes you ( but
with lesser power ) because you don't give a certificate and let you go
forward; that is what i want.
>
> > -----Mensaje original-----
> > De: Bill Barker [SMTP:wbarker@wilshire.com]
> > Enviado el: jueves 27 de noviembre de 2003 4:21
> > Para: tomcat-user@jakarta.apache.org
> > Asunto: Re: Difficulty with SSL authentication without client
certificate
> >
> > For what you want, I'd probably go with a Filter that stores the
Principal
> > under a "well-known-name" for use by the Servlet.  For Container level
> > security, it is clearly an error if the client won't provide a
client-cert.
> >
> > Note:  I consider that the fact that you are getting any response at all
to
> > be a bug (which I plan to look into;).  If the client doesn't provide a
> > cert, then the connection should be rudely terminated.
> >
> > "Lira, Alesio" <lira@ediguay.com.uy> wrote in message
> > news:F40C3FBEC6EC5B47A8CA30B44CABF54D01F62401@excesa01.ediguay.com.uy...
> > Hello there.
> >
> > I've tried to configure a security realm for pages; that if a user
> > certificate is present it will be used, but if it doesn't exist the
> > application will resolve the situation with the user authentication
level
> > already known.
> > After wrestling with the web.xml parameters and defining a user realm; I
> > have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is
> > never ever given to the user realm defined. So, I turned into the source
> > code.
> >
> >
> > In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(),
I've
> > found this :
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> > For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> >




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message