On May 7, 2009, at 9:18 , Mark Thomas wrote:
André Cruz wrote:
Hello.
I have a specific page in my site that uses ssl client certificates
for
authentication and the application itself does the cert validation.
As
the rest of the site does not use them I have clientAuth="false" in
my
connector otherwise the browsers keep asking for client certificates.
I installed a custom security provider to accept all certificates and
built a Valve that requests a SSL renegotiation to try and get a
certificate:
Why not just set appropriate security constraints and get Tomcat to
handle this
for you (as per my example in bug 46950)?
Well, for several reasons:
- I want to display customized error messages in my application. If I
let tomcat handle the certificate validation then, if there's an
error, the request doesn't reach the application at all. Or am I wrong?
- I have some custom certificate validation based on the CA of the
certificate.
- I don't have all the certificates that will be presented to me, just
the CA that signs them, so I'm not sure I could configure users and
roles in tomcat to deal with this.
Is there a better way to do this? The only thing missing right now is
tomcat not closing the connection immediately when no certificate is
sent by the browser.
André
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
