That's what I thought. Thanks anyway. This is good information! -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Tuesday, February 14, 2012 11:50 AM To: Tomcat Users List Subject: Re: controlling Server Authentication only vs Mutual authentication
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Sanjeev, On 2/13/12 11:01 PM, Sanjeev Sharma wrote: > Thanks for your reply. If I set clientAuth="want" will it not ask > me for a certificate every time I create a new session? It will not ask for a certificate, but if you provide one, then it will be used. > And if I'm forwarding (or redirecting) from a page that only > requires straight SSL with server authentication to one which > requires mutual authentication, will it force the browser to prompt > for a client certificate? This won't work with forwarding, because that's all done after the Connector has performed the SSL negotiation: if you want to change the SSL rules, you'll have to perform a redirect to a location that requires SSL. Or, I suppose, you could sniff the certificate at some point and perform a redirect if you needed the certificate. Cert negotiation is done at the SSL level (before your code even knows there is a request) and I don't believe the webapp itself can tell Tomcat how to respond because it's too late. If you redirect to a place that requires a client certificate, then the certificate will be requested. I'm fairly sure that means you'll have to use a different port number or IP address, since you can't have two different settings for "clientAuth" on a single connector: you'll need two (or more). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk86kLsACgkQ9CaO5/Lv0PBprgCgurJCNmUu4PnunjGRCQCP7b0C PD4An2hUad5YMctmWAR+h6vpGjxpTeql =rzrP -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
