Hi,

I'm not trying to see the SSL stuff itself, but make the connector ask for a
client certificate.
This works with the security-constraint config mentioned below, if I
reference a role from the user-realm. As I do not have the users defined in
some realm, i try to find a was to make the connector switch to requesting a
client certificate without referencing a realm.

The only alternative would be to dump the filter and implement a realm?

Mit freundlichen Grüßen,
Alexander Jung


> -----Ursprüngliche Nachricht-----
> Von: Dima Retov [mailto:dima@(protected)]
> Gesendet: Dienstag, 6. März 2007 14:33
> An: Tomcat Users List
> Betreff: Re: How to request a client Certificate Authentication ?
>
> Hi,
>
> SSL stuff happens before any actual HTTP data is sent.
> It not possible to see request's URL at this stage.
>
> Dima
>
> Tuesday, March 6, 2007, 3:29:15 PM, you wrote:
>
> JAA> Hello,
>
> JAA> I try to implement a custom client certificate
> authentication, that does
> JAA> some complicated LDAP-lookups in the background and
> gives an authenticated
> JAA> value with request.getRemoteUser() back to the applications.
>
> JAA> Peeking through the jcifs source, I chose to implement a
> filter. This
> JAA> works,but I'd like to limit the areas where the
> tomcat-SSL Connector asks
> JAA> for a SSL-Clientauthentication.
>
> JAA> I configured the connector with clientAuth="false" and
> tried to force SSL
> JAA> client authentication within the applications web.xml with:
>
> JAA>  <security-constraint>
> JAA>    <web-resource-collection>
>  
> JAA> <web-resource-name>Zugriffsschutz</web-resource-name>
> JAA>      <url-pattern>/secure/*</url-pattern>
> JAA>    </web-resource-collection>
> JAA>    <user-data-constraint>
> JAA>        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> JAA>      </user-data-constraint>
> JAA>  </security-constraint>
>
> JAA>  <login-config>
> JAA>    <auth-method>CLIENT-CERT</auth-method>
> JAA>  </login-config>
>
> JAA> But this does not make the connector ask for a client
> certificate. How do I
> JAA> make the connector ask for it? (clientAuth="true" in the
> connectors
> JAA> configuration works, but limits the access of all pages
> to users that have
> JAA> client certs).
>
> JAA> I'm using tomcat 5.5.20.
>
> JAA> Regards,
> JAA> Alexander Jung
>
>
>
> --
> Best regards,
> Dima                   mailto:dima@(protected)
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@(protected)
> To unsubscribe, e-mail: users-unsubscribe@(protected)
> For additional commands, e-mail: users-help@(protected)
>
>