On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
So, with clientAuth=false, how do you get a client certificate to use
for authentication? Or, does the presence of the CLIENT-CERT in web.xml
trigger an SSL-renegotiation where the client cert /is/ requested from
the client.
On 2/18/10, Christopher Schultz ch...@christopherschultz.net wrote:
Stupid question: don't you want clientAuth=true?
In this particular case, no. I don't want to force client certificate
authentication for all SSL connections coming to port 8443. Instead,
I am looking to do client
On 2/19/10, Christopher Schultz ch...@christopherschultz.net wrote:
On 2/19/2010 1:48 AM, Jason Brittain wrote:
Nope. clientAuth=false means that the webapp's web.xml specifies which
resources require the client certificate.
Gotcha: I thought that false would cause the connector to ignore
On 2/17/10, Mark Thomas ma...@apache.org wrote:
CVE-2009-3555?
Now that this is working, I'd like to ask what other options exist for
using client certificate authentication on a per-webapp basis.
Requiring my customers to enable a feature
(allowUnsafeLegacyRenegotiation) that exposes them to a
Greetings fellow Tomcat-ers:
I'm trying enable client certificate authentication on a per-webapp
basis using Tomcat 6.0.24. According to the various sources of
documentation I've found, this should be possible by enabling the SSL
Connector (which I've done), getting client certificate
On 2/17/10, Mark Thomas ma...@apache.org wrote:
On 17/02/2010 23:48, Kevin Mills wrote:
Can anyone tell me what's going on here?
CVE-2009-3555?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
search for
allowUnsafeLegacyRenegotiation
Thanks for your reply - I did see that option
On 2/17/10, Mark Thomas ma...@apache.org wrote:
Then you probably haven't got your config quite right. There are plenty
of things to go wrong with this but this definitely works - I was using
it just the other day.
We'll need to see:
- connector element from server.xml
- web.xml
-
On 2/17/10, Mark Thomas ma...@apache.org wrote:
snip/
:-) Doesn't work, meaning I don't get prompted for my certificate.
I see my servlet's output without any sort of authentication.
What URL are you requesting? Only index.jsp will prompt for a cert. Your
servlet will just require SSL to
On 2/17/10, Mark Thomas ma...@apache.org wrote:
The rules on how security constraints combine are in the Servlet spec.
It can take a bit of time to get your head around it.
To require a cert for your servlet too, one option would be:
security-constraint
