I was hoping to get some clarification on when to expect client x509 certs in http requests where the Tomcat server (v9.x) has been configured to “want” or “need” client auth. https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf says:
“If there is an SSL certificate associated with the request, it must be exposed by the servlet container to the servlet programmer as an array of objects of type java.security.cert.X509Certificate and accessible via a ServletRequest attribute of javax.servlet.request.X509Certificate.” Is this only for the request that initiated the TLS handshake? Or does this mean it will be present on all requests (i.e. requests on a keep-alive connection after the initial handshake) while the TLS connection is still open? Thanks, Jon
