-
1. Re: SSL - X509CertificateChain - Tomcat - JAAS
yanikc Jun 19, 2002 3:56 PM (in response to wurstfach)I have checked the source code of Jetty provided as module of jboss-all. I have also checked the Tomcat (3.x) source code.
According to the Servlet-JSP doc, an authentication-method named CLIENT-CERT could be supported. Other authentifcation-method are BASIC, FORM, DIGEST.
Unless I have made a big mistake, neither Jetty nor Tomcat (at least version 3.x) supports the CLIENT-CERT authentication method.
Having such authentication implemented in JBoss implies either a patch to the Jetty/Tomcat code OR something (an EJB, a JavaBean or ...) that would take care of request/response and starts the SSL client-authentication process using the https protocol.
I have serious doubts if the latter is possible. I assume that server-side SSL authentication that has been done when your servlet/jsp page starts has "closed" the SSL handshake process. I am not sure if there is some way to re-open it, asking to the remote browser, "oh, by the way, would you mind to send me the client certificate?".