Doesn't accepting any certificate defeats the purpose of authentication? If you want to accept any certificate, then you are not doing any authentication.
If you have written your own Realm, then do the verification on your realm against your dynamic truststore. -----Original Message----- From: more...@privasphere.com [mailto:more...@privasphere.com] On Behalf Of Luciana Moreira Sa de Souza Signed by - PrivaSphere AG Sent: Wednesday, November 11, 2009 10:25 AM To: users@tomcat.apache.org Cc: Ralf Hauser Subject: How to set up tomcat and truststore Hello, In the platform I am currently working on, we have to set up tomcat to require client certificate authentication. The main difference from the standard settings as described in (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html) is that we wish to accept any client certificates, including self-signed ones. The main reason for that is that we perform a second verification on the application layer as our truststore is dynamic. We have a JAASRealm class extension which basically extends the hasResourcePermission method setting it to always return true. Bellow you can see the configuration we added to the server.xml <Realm className="com.privasphere.privalope.security.auth.ClientCertInAppRealm" debug="99"/> Nevertheless, I believe this method is only called after the initial handshake and after the client certificate has been accepted or refused (this is a guess). In addition, I am not entirely sure of what I should put in the "truststoreFile" property. As we want to accept all certificates this file would probably be empty. Any suggestions or best practices for this problem? Best regards, Luciana Moreira ---------- This message has been signed by the PrivaSphere Mail Signature Service. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
