tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From James Rome <>
Subject Certificate authentication
Date Tue, 04 Oct 2005 14:44:26 GMT
I have looked at the source code and it seems to me that presented
client certificates are only checked for their validity dates, and NOT
for whether they have been revoked. I am able to access my Tomcat site
with a revoked certificate.

It is easy to implement OCSP and/or CRL checking, so I implemented an
X509Realm that extends BasicRealm. I overrode all of the authenticate()
methods, but they are never called when I access my site. I put my realm
in the <Engine> and require CLIENT-CERTS in the site <Context>.

Why don't my methods get called? The start() method gets called, but
nothing else.

Jim Rome

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message