I guess I am looking for some pointers how to approach a certain scenario from "the right way" of implementing it. Say you have a standard login form with user/pass edits and "Login" and "Smartcard" buttons. The "Login" button does Its obvious thing. The "Smartcard" button authenticates the user using client cert SSL. The actual certificate validation happens way downstream of the login page controller so all it needs to do is to extract it from the request and pass it on to the backend. The login page can be served either over http or https. The way currently is implemented, is for the "Smartcard" for the servlet to detect that the "Smartcard" has been pressed and to 302 to a specially designated https connector that has "clientAuth="true"+"trustManagerClassName=... AnyCertX509TrustManager" attributes that handle the client cert authentication. I suspect though that this is a hack, and there could be a more clever way to handle this with either forwarding or somehow manually upgrading the connection from HTTP to HTTPS/clientAuth or HTTPS to HTTPS/clientAuth to challenge for a client certificate. I'd like to eliminate the 302 and the maintenance of a separate connector. Some pointers/advice would be appreciated...
