My question rises from the fact that client is authenticated against a principal retrieved from the public certificate that the browser send in response to ObjectCallabck.
Is it possible that a user could send this certificate even when he's not the real certifcate owner?
I remember that security is based on digital sign of random hash sent by server and verified on server against the public certificate stored a in java store.
But I cannot find this feature in the sources that manage client authentication in Jboss 4.0.3SP1 release.

Any suggestion will be appreciated.
thanks in advance
F