In my experience with 8.x -- on all requests. On Fri, Jul 12, 2019 at 3:06 AM Wilmoth, Jon <jon.d.wilm...@nordstrom.com> wrote: > > I was hoping to get some clarification on when to expect client x509 certs in > http requests where the Tomcat server (v9.x) has been configured to “want” or > “need” client auth. > https://javaee.github.io/servlet-spec/downloads/servlet-4.0/servlet-4_0_FINAL.pdf > says: > > “If there is an SSL certificate associated with the request, it must be > exposed by the servlet container to the servlet programmer as an array of > objects of type java.security.cert.X509Certificate and accessible via a > ServletRequest attribute of javax.servlet.request.X509Certificate.” > > Is this only for the request that initiated the TLS handshake? Or does this > mean it will be present on all requests (i.e. requests on a keep-alive > connection after the initial handshake) while the TLS connection is still > open? > > Thanks, > Jon
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org