shibboleth-dev - Re: Tomcat and certificate validation for SSL
Subject: Shibboleth Developers
List archive
- From: Tom Scavo <>
- To: Chad La Joie <>
- Cc:
- Subject: Re: Tomcat and certificate validation for SSL
- Date: Tue, 14 Jun 2005 08:42:58 -0400
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=iCdhXb/FB+qho9MqpAabV9jdhPsHFb7dzrcnqXcBkXMMCzrS9e0g2I0obJiM9zXADKFefZ60axrOFx/qfFPF7JqouVEq3vfXNbEQ8k8dKePBnnOTixJXiqEHQ9ECKvbkEZ6EANAho7Bx5jz+ChzkL5ODDA0DtEdqTBBVJyQ6nbk=
On 6/14/05, Chad La Joie
<>
wrote:
> Tom Scavo wrote:
> >>For now though, the goal is just to get a standalone Tomcat server to
> >>behave like an Apache/Tomcat set up.
> >
> > But as you said, mucking with the container is non-portable. Could
> > you write a filter that sits in front of the IdP and does the same
> > thing to the request that apache is doing now (whatever that is)?
>
> Nope, because it's the container doing the "bad" thing, namely trying to
> validate the certificate against it's trust store. Since the trust
> store doesn't have the cert chain(s) in them (they're in the metadata)
> this will fail. Apache allows you to just pass the cert on, presumably
> so that your code can take care of the checking. Since the invocation
> of a filter would happen after Tomcat did the initial request processing
> the filter would never fire because the request wouldn't get to it.
Can't you simply configure the AA endpoint to *not* do client authn
(clientAuth="false")?
Tom
- Tomcat and certificate validation for SSL, Chad La Joie, 06/13/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/13/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/13/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/13/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/13/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/13/2005
- Re: Tomcat and certificate validation for SSL, Tom Scavo, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Tom Scavo, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Tom Scavo, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Howard Gilbert, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Howard Gilbert, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Tom Scavo, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Tom Scavo, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/13/2005
- Re: Tomcat and certificate validation for SSL, Chad La Joie, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Alistair Young, 06/14/2005
- RE: Tomcat and certificate validation for SSL, Scott Cantor, 06/14/2005
- Re: Tomcat and certificate validation for SSL, Alistair Young, 06/14/2005
Archive powered by MHonArc 2.6.16.