Hi, Bill:
Thanx for the comments. Please see the following.
>>Can someone start the Tomcat server with clientAuth=false, but access
>>a URI that is protected by CLIENT-CERT? If yes, then I think a
>>re-handshake is a must.
>
>
> But using CertificatesValve to accomplish this is the wrong way to do it.
> Catalina has no good reason to know or care what transport the request was
> received on. It's the connector's job to take care of that.
>
> It looks like we may need another Action to handle this case (probably
> invoked by the Realm). Comments?
Okay, that is where my ignorance kicks in. ;-)
I agree that Catalina does not have to know/care about what
transport the request is received on. The logical place for
this to happen is somewhere:
1. Tomcat has enough information to determine the incoming
request is intended for a Context that requires the
client-cert authentication
2. Tomcat also has to have the handle on the specific
transport mechanism to force this second handshake with
the client.
3. The certificate information also has to be populated with
the Request object for further authorization calls...
Does that sound right?
Thanx,
Q^2
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
