Hi all,
I'm busy with a project that has very specific SSL/security needs;
The project needs client-side authentication with special certificates; the certificates do NOT have the client domain name or IP address in the Common Name field, but have a unique code. This way, the clients are not tied to a host (since some clients will run in a managed web environment, where there may exist multiple clients on the same host and thus the same IP address).
Conceptually, all this is not so difficult to grasp, but it has proved pretty darn difficult to implement in
Tomcat.
The default trust manager in Tomcat checks the domain name of the incoming client request with the domain name on the client certificate (this is default the CN field in the certificate). If this doesn't match, the client certificate is disregarded as irrelevant and cannot be read afterwards.
So what I have sofar: I've implemented a new Trust Manager, but sofar I have not been able to insert this into Tomcat.
So my question is: how can I override the default client authentication mechanism in Tomcat?
Any help is GREATLY appreciated (I'm getting a little crazy over here....)
[ December 10, 2007: Message edited by: Eelco den Heijer ]
