Re: In apache-tomcat-7.0.40 want to set Client auth dynamically

2013-10-29 Thread Mark Thomas 
On 29/10/2013 05:57, Sushil Prusty wrote:
 Hi All,
 
 
 In server.xml i need to setup clientauth value dynamically .Is there any
 java apace api available to set value at runtime or any other alternative
 option ?
 
 Connector  clientAuth=false ...

The behaviour varies by connector.

The BIO connector uses the value for clientAuth when the server socket
is created and doesn't update it. It looks like it should be possible to
update it dynamically but the code doesn't do that.

The NIO connector uses the value for clientAuth at the point where the
client makes a connection. Therefore dynamic updates to clientAuth (e.g.
via JMX) should take effect with the next attempted connection.

The APR connector uses a different attribute so I guess you aren't using
it. For completeness, it uses the value when the server socket is
created and doesn't update it. It might be possible to update it
dynamically but the code doesn't do that.

Mark


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: In apache-tomcat-7.0.40 want to set Client auth dynamically

2013-10-29 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sushil,

On 10/29/13, 4:27 AM, Mark Thomas wrote:
 On 29/10/2013 05:57, Sushil Prusty wrote:
 Hi All,
 
 
 In server.xml i need to setup clientauth value dynamically .Is
 there any java apace api available to set value at runtime or any
 other alternative option ?
 
 Connector  clientAuth=false ...
 
 The behaviour varies by connector.
 
 The BIO connector uses the value for clientAuth when the server
 socket is created and doesn't update it. It looks like it should be
 possible to update it dynamically but the code doesn't do that.
 
 The NIO connector uses the value for clientAuth at the point where
 the client makes a connection. Therefore dynamic updates to
 clientAuth (e.g. via JMX) should take effect with the next
 attempted connection.
 
 The APR connector uses a different attribute so I guess you aren't
 using it. For completeness, it uses the value when the server
 socket is created and doesn't update it. It might be possible to
 update it dynamically but the code doesn't do that.

Another option is to set clientAuth=want and then implement the
cert-checking yourself.

See a post of mine from the archives that includes the
relatively-simple Java code to check the certificate chain (note that
it's not using OCSP or anything like that):
http://markmail.org/message/kzxsamuiu6bldjmv

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJScAIHAAoJEBzwKT+lPKRYxFEP/3jxMblvqFDjk0/1VTLm6UUz
UdJqpZZBxkMgXnv91zslAMDNfUh/HcG8mjsyNPhKQNenYz9kT4hmoGNaszpZD3cX
64NQbDAvAxwKGFZHaQTSqH/0C9v1aZ97efrl+cagGhnPhZ50S+RCY3u5iD+btSQD
p/uLzhaX46aiEbj6cxxWO13IZMLT42nTeGlyglGb5rHgdGZ8Uc/DBTGXus1dBGrK
wrWzSQunOvVv3ZddmIwwxfrW9b/uuUMf6l0F28kp2aNhd0e4LfpxohtgfW7iO22h
wzuwtqRqCphkAHQ2rUMnlcdG3pSSKZMvJb2TnmeLhNrkc80NHDLG2w1YhKPJdJ3S
GN8ZQDpCHvHwoH2Duh23HSqrcAX1NPb9Jhr1Et3Wnf1YYV1eSRPX8fOSBUJVw/bj
AYoppMy37C+Za8H+Bf8MsoAjZVSyRsADLbxX4h7dVDZZpE5hXtgBmtsWNsGxNXmC
qdhLdpueMV2Pprm0jkcL9IuUjVvzwmEuzV9U9byiNjLsSU624OKp/hKZdIYbEWDM
bBFR4+Ahv/IFpLdquTjtf/b/XgG5KCKRRoShLvnUjRTx/N5AHigpbXmskPY96a39
VoEgzC8RruEB0P6J9TOmwjGN7eMt9+WW6Y3SuOrDX4R6tV8lyRKqvUQHuL1CZm+k
+C8Ps/w8y8Tl7JW7WBw4
=n0Y7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

In apache-tomcat-7.0.40 want to set Client auth dynamically

2013-10-28 Thread Sushil Prusty 
Hi All,


In server.xml i need to setup clientauth value dynamically .Is there any
java apace api available to set value at runtime or any other alternative
option ?

Connector  clientAuth=false ...

Thanks and Regards
Sushil Kumar Prusty