Remy Maucherat wrote: > Qingqing Ouyang wrote: > >> Hi, Bill: >> >> Thanx for the comments. Please see the following. >> >> >>>> Can someone start the Tomcat server with clientAuth=false, but access >>>> a URI that is protected by CLIENT-CERT? If yes, then I think a >>>> re-handshake is a must. >>> >>> >>> >>> >>> But using CertificatesValve to accomplish this is the wrong way to do >>> it. >>> Catalina has no good reason to know or care what transport the >>> request was >>> received on. It's the connector's job to take care of that. >>> >>> It looks like we may need another Action to handle this case (probably >>> invoked by the Realm). Comments? >> >> >> >> Okay, that is where my ignorance kicks in. ;-) >> >> I agree that Catalina does not have to know/care about what >> transport the request is received on. The logical place for >> this to happen is somewhere: >> >> 1. Tomcat has enough information to determine the incoming >> request is intended for a Context that requires the >> client-cert authentication >> >> 2. Tomcat also has to have the handle on the specific >> transport mechanism to force this second handshake with >> the client. >> >> 3. The certificate information also has to be populated with >> the Request object for further authorization calls... > > > We can have the current certificate valve send an action to the Coyote > layer, which would then update the appropriate attributes. > I think some new method is needed in SSLSupport.
Ok, already there :) Great job Bill :) Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
