tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From atul <techat...@yahoo.com>
Subject Force getting Client Cert from browser
Date Fri, 24 Oct 2008 18:09:21 GMT
I am initiating client ssl in my webapp by requesting attr 
org.apache.coyote.request.X509Certificate 
 
User is prompted for the client cert at the browser and logs in just fine.
When the user logs out, we invalidate the Http session.
However, when the user tries to access another protected resource using same browser window
(without closing), he gets right in.
Tomcat never initiates ssl renegotiation - probably because it hangs onto sslsocket and sslsession
object for performance.
Is there anyway we can effect tomcat to forcefully renegotiate ssl for client cert ?
Is there anyway application can get the SSLSocket and do a close on it ? Or destroy SSLSession
object ?
I tried sending http Connection: Close on the response with no success.
 
Is there any other way to effect this ?
 
I am using Tomcat 5.5 with Java 1.6_07.
 
Any prompt help is really appreciated!
 
Thanks


      
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message