I have been looking into http://nagoya.apache.org/bugzilla/show_bug.cgi?id=19867
and have a couple of questions. The error seen in this report is a result of specifying CLIENT-CERT authentication without specifying a user-data-constraint. This causes a NPE because the sslSupport attribute of the http11Processor object is null. I have looked at the servlet spec (2.3 and the draft of 2.4) and, based on the 2.4 draft, the user-data-constraint is not mandatory (end of SRV.12.8) and the use of CLIENT-CERT requires SSL (SRV.12.5.4). With this in mind, my first question is: 1. If a user wants to use CLIENT-CERT should they have to specify a user-data-constraint or should tomcat automatically apply SSL to the resources in the web resource collection specified in the security constraint when the auth constraint is CLIENT-CERT? Having read the spec, I can't figure out what should happen. Regardless of the answer to the above, if CLIENT-CERT is specified, user-data-constraint is set to CONFIDENTIAL and there are no valid certs on the client a number of exceptions get thrown by tomcat. This brings me to my remaining question: 2. Not having a matching certificate is equivalent to getting the password wrong. Therefore, shouldn't tomcat behave in a similar way (no exceptions, return a 403 to the client) rather than throwing the exceptions? With some guidance on the above, assuming that some code changes will be required, I'll set about writing a patch. Note: Although the bug is reported against 4.1.24, the same behaviour is seen with the latest 4.x.x and 5.x.x Regards, Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]