Thanks QM - Agreed. No way around SSL, as the client certificate request is dependent on the SSL handshake.
For those in the list who have followed these links while building their own keystores and self signed certs and client certs for authentication: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/http.html#SSL%20S upport http://java.sun.com/webservices/docs/1.1/tutorial/doc/WebAppSecurity5.ht ml http://java.sun.com/j2se/1.4.2/docs/tooldocs/solaris/keytool.html#genkey Cmd http://mark.foster.cc/kb/openssl-keytool.html I needed to add to the Java Options: -Djavax.net.ssl.trustStore=[path to]\myClient.keystore -Djavax.net.ssl.trustStorePassword=mypassword Else the server was not finding the client.keystore and was throwing "bad_certificate" errors. Now works fine. Tested in IE6 and Firefox. - wjs -----Original Message----- From: QM [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 23, 2005 7:10 PM To: Tomcat Users List Subject: [QUAR]Re: clientAuth=true; non-SSL? On Wed, Mar 23, 2005 at 01:21:11PM -0800, Sweeney, Bill wrote: : The question is this: Do I need an SSL connection in order to get : Tomcat to force the presentation of a client side certificate? In other : words, I only want to force authentication, not wrap the connection in : SSL. If you want to force authentication using certs (which is what clientAuth is all about) then I don't see a way around SSL. The cert exchange takes place during the SSL handshake. If you want to just protect access to certain areas of the webapp, check the Tomcat docs for "realms" and skim the servlet spec for "FORM authentication." -QM -- software -- http://www.brandxdev.net/ tech news -- http://www.RoarNetworX.com/ code scan -- http://www.JxRef.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
