tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Antony Bowesman <>
Subject Client certificates Tomcat 4
Date Mon, 05 Nov 2001 12:59:31 GMT
Hi Craig, (or anyone else)

Seem to be some issues with Tomcat 4 and client authentication.

* CLIENT-CERT only requests certificates if using SSL - i.e. if not
using SSL when trying to access a protected resource it gives the

HTTP Status 400 - No client certificate chain in this request

* If using SSL then the first access to any page causes the browser to
request the certificate.  Access to a protected page then causes the
BASIC authentication box to be displayed and authentication to fail. 
This is because all the Realm implementations to return null in the
getPrincipal() method.

The default implementation of the authenticate(certs) in
calls getPrincipal(certs[0].getSubjectDN().getName()).  So, it looks
like that CLIENT-CERTS, as far as Tomcat is concerned, is simply a
mechanism to authenticate the client machine rather than the individual
operating the machine.   Can this be true??

Surely then CLIENT-CERTS is less secure than using simple form based
authentication over SSL.

Isn't it so that there should be some kind of challenge/response
mechanism that should enable the server to verify the user as well as
authenticating the certificate.

Antony Bowesman
Teamware Group
phone: +358 9 5128 2562
fax  : +358 9 5128 2705

intra / extra / Internet solutions at

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message