None of the standard realms do certificates properly. For example, o.a.c.authenticator.SSLAuthenticator.java does not check to see if a certificate has been revoked. The LDAP realm compares the presented certificate to the one in the LDAP which puts a burden on the LDAP to unpublish revoked certificates. This is also rather unnecessary because given the CA certifdicate and the OCSP address, any presented certificate can be authenticated properly.
So I write my own Realm by extending RealmBase and modifying the public Principal authenticate(X509Certificate certs[]) method. I put this realm inside the <Engine> tag and commented out the userdatabase realm. But, so far as I can tell, my authenticate method is never called. Print statements (using the 5.5 log techniques) only appear from the start() method, never from authenticate(). And I can get in with revoked client certificates. Does anyone have an idea of what is happening? How can I debug this? Thanks, Jim Rome --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]