Hi Evgeny, Evgeny Shepelyuk wrote: > Hello, > > I'm using Jetty as restlet HTTP engine with SSL enabled and client's > certificate auth. > Probabaly it's more related to Jetty but is this possible to make server > only ask > for certificates only for certain URL. > > I'm NOT USING needClientAuthentication, so certificate is not mandatory, > but > what i want is following > > - for certain resources still use HTTPS, but never let browser to ask for > client's certificate. > > Only way i сan see now - is creating 2 HTTPS connectors and run 2 server > sockets within restlet app. >
In principle, this can be achieved by re-negotiating the handshake. This is something that Tomcat supports if the listening socket isn't configured to want or need authentication but CLIENT-CERT is used within the webapp. As far as I know, Jetty (as a container) doesn't support it. I don't think its API supports it either. The Grizzly library has some support for this mechanism. The Restlet API doesn't support it at the moment. Currently, the client certificate is populated when the handler is set up (when the socket is connected), after that, the upper layers (Application/Resource/...) can't talk back to the socket to tell it to re-negotiate. This is not impossible, but it would require some changes in the API, in particular HttpServerCall and the way the client certificate is then passed to the request attributes. I also reported a bug about this using Glassfish/Grizzly (nothing Restlet-specific) a few months ago; I haven't tried more recently. https://grizzly.dev.java.net/issues/show_bug.cgi?id=416 This would definitely be a problem to implement this feature in Restlet if the libraries used by the connectors don't support it. A possible workaround might be to use Restlet within Tomcat and to use CLIENT-CERT for the URI patterns (defined in web.xml) that you know will want client-certificate authentication. Best wishes, Bruno. ------------------------------------------------------ http://restlet.tigris.org/ds/viewMessage.do?dsForumId=4447&dsMessageId=2385222
