tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From QM <>
Subject Re: clientAuth=true; non-SSL?
Date Thu, 24 Mar 2005 00:10:25 GMT
On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote:
: The question is this:  Do I need an SSL connection in order to get
: Tomcat to force the presentation of a client side certificate?  In other
: words, I only want to force authentication, not wrap the connection in
: SSL.

If you want to force authentication using certs (which is what
clientAuth is all about) then I don't see a way around SSL.  The cert
exchange takes place during the SSL handshake.

If you want to just protect access to certain areas of the webapp, check
the Tomcat docs for "realms" and skim the servlet spec for "FORM



software   --
tech news  --
code scan  --

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message