https://issues.apache.org/bugzilla/show_bug.cgi?id=46498
Summary: Client certificate is not requested when clientAuth is
false and resource is protected by security constraint
Product: Tomcat 6
Version: unspecified
Platform: PC
OS/Version: Windows XP
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: [email protected]
ReportedBy: [email protected]
Tomcat configuration manual states that clientAuth can be false and that
"A false value (which is the default) will not require a certificate chain
unless the client requests a resource protected by a security constraint that
uses CLIENT-CERT authentication. See the SSL HowTo for an example."
Note: The SSL Howto doesn't have a "false" option described for clientAuth.
Anyway, Tomcat doesn't request a client certificate when clienAuth is false and
the resource is protect by a security constraint like this:
<security-constraint>
<web-resource-collection>
<web-resource-name>Certificados</web-resource-name>
<url-pattern>/Certificados/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
TIA,
Pedro
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
