I have looked at the source code and it seems to me that presented client certificates are only checked for their validity dates, and NOT for whether they have been revoked. I am able to access my Tomcat site with a revoked certificate.
It is easy to implement OCSP and/or CRL checking, so I implemented an X509Realm that extends BasicRealm. I overrode all of the authenticate() methods, but they are never called when I access my site. I put my realm in the <Engine> and require CLIENT-CERTS in the site <Context>. Why don't my methods get called? The start() method gets called, but nothing else. Jim Rome --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
