To answer my own question, if you specify a truststoreFile attribute in the tomcat connector configuration, the clientAuth attribute works as intended. In retrospect I suppose the behavior I was seeing shouldn't have been totally unexpected, but it still doesn't really seem to point towards the proper solution.
I should think it should still request the client certificate, and then always fail, saying the certificate is not trusted (or work as intended if the client cert is issued by a JDK/JSSE cacert). Is there any way to tell tomcat to not validate the certificate (similar to specifying org.jboss.security.auth.certs.AnyCertVerifier as the verifier module-option for the org.jboss.security.auth.spi.BaseCertLoginModule)? I guess this would cause unexpected behavior for the AnyCertVerifier since it is relying on the transport layer to perform authentication. Thanks, Stephen Saucier View the original post : http://www.jboss.org/index.html?module=bb&op=viewtopic&p=3887343#3887343 Reply to the post : http://www.jboss.org/index.html?module=bb&op=posting&mode=reply&p=3887343 ------------------------------------------------------- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_id=7477&alloc_id=16492&op=click _______________________________________________ JBoss-user mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/jboss-user
