I am curious why SSLAuthenticator does not/cannot compare some attribute of the client cert with the remote address (requestor)? Without such a check, it seems to me that certificates are as easily shared as the credentials used in basic authentication.
Also, why do the realm implementations always return null for getPrincipal? Couldn't they lookup the user on the users database, ignoring password, to establish authorized roles? The combination of these two things seems to me to really limit the usefulness of client certificate authentication because authentication provides little guarantee of who the client is, and even if it did, the client is denied access to any protected resources. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]