"Alexander Panzhin" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Is there any way to control the client certificate authentication? > That is I would like to have the certs in some other repository than > tomcat's default(java keystore).
truststoreFile="/path/to/my/trusted/ca/keystore"
> And I need the users to authenticate with their certs.
> So is there a way to filter a connector?
You can plug in your own TrustManager, using the standard JSSE mechanism,
but otherwise, no. This all happens deep within JSSE, with minimal Tomcat
involvement.
> Or any other way to get the cert that the client sends to the connector
> and force the container(tomcat) to set the appropriate role?
>
The cert is available progamatically from:
509Certificate [] certs = (X509Certificate
[])request.getAttribute("javax.servlet.request..X509Certificate");
Setting the Roles is done by including in your web.xml file:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Note, not all of the Realms that ship with Tomcat support CLIENT-CERT.
smime.p7s
Description: S/MIME cryptographic signature
