Remy Maucherat wrote:
> Qingqing Ouyang wrote:
>
>> Hi, Bill:
>>
>> Thanx for the comments. Please see the following.
>>
>>
Can someone start the Tomcat server with clientAuth=false, but access
a URI that is protected by CLIENT-CERT? If yes, then I think a
re-handshake is a must.
Qingqing Ouyang wrote:
> Hi, Bill:
>
> Thanx for the comments. Please see the following.
>
>
>>> Can someone start the Tomcat server with clientAuth=false, but access
>>> a URI that is protected by CLIENT-CERT? If yes, then I think a
>>> re-handshake is a must.
>>
>>
>>
>> But using Certifica
>>
>>1. Tomcat has enough information to determine the incoming
>>request is intended for a Context that requires the
>>client-cert authentication
>
>
> True. However it is unnecessary to do it for the entire Context. It is
> only necessary for the pages that require authentication.
Hi, Bill:
Thanx for the comments. Please see the following.
>>Can someone start the Tomcat server with clientAuth=false, but access
>>a URI that is protected by CLIENT-CERT? If yes, then I think a
>>re-handshake is a must.
>
>
> But using CertificatesValve to accomplish this is the wrong wa
Hi, Bill:
I have a question regarding your comment on the CertificatesValve should
not be used any more...
My understanding of how the CertificatesValve is used is following:
1. The clientAuth attribute in server.xml only determines whether
the Tomcat server by default will require client c