Qingqing Ouyang wrote: > Hi, Bill: > > Thanx for the comments. Please see the following. > > >>> Can someone start the Tomcat server with clientAuth=false, but access >>> a URI that is protected by CLIENT-CERT? If yes, then I think a >>> re-handshake is a must. >> >> >> >> But using CertificatesValve to accomplish this is the wrong way to do it. >> Catalina has no good reason to know or care what transport the request >> was >> received on. It's the connector's job to take care of that. >> >> It looks like we may need another Action to handle this case (probably >> invoked by the Realm). Comments? > > > Okay, that is where my ignorance kicks in. ;-) > > I agree that Catalina does not have to know/care about what > transport the request is received on. The logical place for > this to happen is somewhere: > > 1. Tomcat has enough information to determine the incoming > request is intended for a Context that requires the > client-cert authentication > > 2. Tomcat also has to have the handle on the specific > transport mechanism to force this second handshake with > the client. > > 3. The certificate information also has to be populated with > the Request object for further authorization calls...
We can have the current certificate valve send an action to the Coyote layer, which would then update the appropriate attributes. I think some new method is needed in SSLSupport. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
