I have read your reply. It is valuable to me. Thanks. May I suggest this idea:
>> Server certificate: >> The certificate for the engine with alias "tomcat" >> The certificate for a specific host >> The certificate for a specific web-app >> If a web-app doesn't have a certificate, it can be configured to use the >> certificate of the host. Similarly, if a host doesn't have a certificate, >> it can be configured to use the certificate of the engine. However, when >> a web-app has a certificate, then this one should be used rather than >> always using "tomcat". > Pretty much a pipe-dream, since the SSL protocol requires that the server > send it's cert before it even knows the Host, much less the webapp :). > There is pretty much no other place it can go other than with the > Connector. SSL component is a resource. The engine, virtual hosts, and web-apps are its users. The resource could ask a certificate from its current user. The engine is a subject, so it has a certificate in its own user context (EngineUserConext). Each host is a subject, too. They all have their respective certificates in their user contexts (HostUserConext). If a host doesn't have a certificate, the engine certificate could be used. Any web-app is a subject, too. Every web-app has its own certificate in WebAppUserContext. If a web-app doesn't have a certificate, it could use that of its host. Accessing all the information about a user/entity/subject/program should be done with UserManager which in turn will access the right UserContext. UserContext will access KeyManager & TrustManager. The SSL component should deal with UserManager to get information about its users (Engine/Host/Web-app), and authenticate web clients. I have post another thread suggesting to add the UserManager component. Thank you for consideration! [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
