tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Cruz <>
Subject Re: Requesting a SSL client certificate using ACTION_REQ_SSL_CERTIFICATE
Date Thu, 07 May 2009 09:42:24 GMT
On May 7, 2009, at 9:18 , Mark Thomas wrote:

> André Cruz wrote:
>> Hello.
>> I have a specific page in my site that uses ssl client certificates  
>> for
>> authentication and the application itself does the cert validation.  
>> As
>> the rest of the site does not use them I have clientAuth="false" in  
>> my
>> connector otherwise the browsers keep asking for client certificates.
>> I installed a custom security provider to accept all certificates and
>> built a Valve that requests a SSL renegotiation to try and get a
>> certificate:
> Why not just set appropriate security constraints and get Tomcat to  
> handle this
> for you (as per my example in bug 46950)?

Well, for several reasons:

- I want to display customized error messages in my application. If I  
let tomcat handle the certificate validation then, if there's an  
error,  the request doesn't reach the application at all. Or am I wrong?
- I have some custom certificate validation based on the CA of the  
- I don't have all the certificates that will be presented to me, just  
the CA that signs them, so I'm not sure I could configure users and  
roles in tomcat to deal with this.

Is there a better way to do this? The only thing missing right now is  
tomcat not closing the connection immediately when no certificate is  
sent by the browser.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message