From looking at the source release, an updated version of the patch (you are talking about the 'jetty' patch aren't you?) has been applied in 3.2.0.
However, I have my questions about the behaviour. I have a simple servlet that just prints out the getCallerPrincipal() and getRemoteUser(). The result to me is not very useable, because you simply get a string representation with the serial number of the certificate, and the DN of the CA that issued the certificate.
It would be nice if I could at least write a LoginModule where i can get the certificate objects. I tried to create one but I fail to see how I could get a hold of these objects.
here is a simple skelleton of a Login Module which you could use.
The Credential contains the CertificateChain.
Just put your checks within the login-method and return the roles for the user in the getRoleSet-method.
I have tested it with 3.2.0 + Tomcat 4.1.24 but I did some modifications on JBossSecurityMgrRealm.java to get it working. This modifications are already commited to 3.2.1 but I did not have time to check that till now.
Thanks for your help. I have upgraded to 3.2.1 with tomcat 4.1.24 and have managed to get it working although not quite in the way I expected (request.getRemoteUser() returns cert serial + issuer DN). I am not sure that this is standard behaviour. I am planning to have a look at this and your login module this weekend.