-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kevin,
On 2/19/2010 2:18 PM, Kevin Mills wrote: > On 2/19/10, Christopher Schultz <ch...@christopherschultz.net> wrote: >> On 2/19/2010 1:48 AM, Jason Brittain wrote: >>> Nope. clientAuth="false" means that the webapp's web.xml specifies which >>> resources require the client certificate. >> >> Gotcha: I thought that "false" would cause the connector to ignore all >> client cert info, while "want" would collect it but not process it, >> while "true" would perform the checks for you. >> >> Instead, "false" and "want" are essentially the same (right?) and "true" >> does the checks for you. If you have "want" or "false", plus a >> <web-resource-collection> that demands CLIENT-AUTH, then it will be used >> for identification purposes, but not actually checked against a valid >> certificate chain. >> >> Do I have that right? > > The behavior I see is this: "false" does not request the client > certificate at all. "want" requests it, but allows the connection to > go through if no client certificate is presented. "true" requires a > client certificate and kills the connection if no client certificate > (or an unacceptable one) is presented. So, with clientAuth="false", how do you get a client certificate to use for authentication? Or, does the presence of the CLIENT-CERT in web.xml trigger an SSL-renegotiation where the client cert /is/ requested from the client. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkt+6XQACgkQ9CaO5/Lv0PCSLQCfZkZ+Seia0JZmq+CcgXobgv2I Ly8AniUQwHgGu9YHZH8Prr8qMwBVF+D3 =QNkD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
