For what you want, I'd probably go with a Filter that stores the Principal under a "well-known-name" for use by the Servlet. For Container level security, it is clearly an error if the client won't provide a client-cert.
Note: I consider that the fact that you are getting any response at all to be a bug (which I plan to look into;). If the client doesn't provide a cert, then the connection should be rudely terminated. "Lira, Alesio" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] Hello there. I've tried to configure a security realm for pages; that if a user certificate is present it will be used, but if it doesn't exist the application will resolve the situation with the user authentication level already known. After wrestling with the web.xml parameters and defining a user realm; I have found that Tomcat ( 4.1.27 ) returns a BAD REQUEST; and control is never ever given to the user realm defined. So, I turned into the source code. In org.apache.catalina.authenticator.SSLAuthenticator.authenticate(), I've found this : --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
