Unfortunately, we need to selectively control client cert within the _same_ web app (ie. servlet) THe criteria would be based on a combination of querystring params, IPs, time etc..
So basically the same client would post a payload to my servlet at https://mycompany.com/myserver/servlet/param1/param2/param3 now depending on a number of criteria in combination with param3, i need to throttle the certificatevalve to renegotiate the SSL handshake and ask for cert. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, March 29, 2002 11:54 AM To: Tomcat Developers List Subject: Re: Extending CertificateValve,ContextConfig but not sure what theimplications are in TC What kind of special behavior do you need? The client-cert flag in the CertificatesValve only indicates whether you want client certificates for _all_ web requests, regardless of what is specified in the web.xml for each web-app. If you leave the flag false, you can control when client certs are required to any level of details by customizing the web.xml for each web app. See the servlet specification for more information on how to do this. Hope this helps, although I didn't quite answer your actual question, since I don't know the answer to that one... :-) Regards, Gummi Haf ------------------------------------------ Gudmundur Hafsteinsson - [EMAIL PROTECTED] Dimon Software - www.dimonsoftware.com "... 'cause that's what tiggers do the best!" - Tigger ------------------------------------------ "Ian Huynh" <[EMAIL PROTECTED]> 29.03.2002 18:06 Please respond to "Tomcat Developers List" To: <[EMAIL PROTECTED]> cc: Subject: Extending CertificateValve,ContextConfig but not sure what the implications are in TC Hi I need to extend (tweak) a few behaviors in org.apache.catalina.valves.CertificatesValve without having to recompile TC. Is there a way to configure TC to use a custom CertificateValve? TC 4.x currently allows a boolean flag to indicate whether or not the HTTPS port 8443 requires not require client cert Auth. I am in need to have special logic in there to dynamiccaly request client cert under certain condition. And I can't expose more than one port! I need to share the same 8443 port for both purposes. So what I would like to do is 1. extend the CertificatesValve to perform special processing 2. extend the ContextConfig to load my custom CertificatesValve. 3. Configure the server.xml to use my custom ContextConfig Just curious as to whether or not this is a safe thing to do and also for compatibility with future TC releases? Thanks. ============================== // Instantiate a new CertificatesValve if possible Valve certificates = null; try { Class clazz = Class.forName("org.apache.catalina.valves.CertificatesValve"); certificates = (Valve) clazz.newInstance(); } catch (Throwable t) { return; // Probably JSSE classes not present } It's theoretically possible to replace ContextConfig using somthing like this in server.xml: <Context configClass="my.very.own.ContextConfig" ... /> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
