| [jetty-users] Does CLIENT-CERT SSL renegotiation work in Jetty 8/9? |
|
(NOTE: I've asked the exact same question in stackoverflow but I
think it's too specific or complex to be answered there: http://stackoverflow.com/questions/14408958/how-can-i-make-client-cert-ssl-renegotiation-work-in-jetty) I have a webapp that has a public https area, and a private https protected with client certificate using SSL renegotiation. This configuration works correctly (not without a lot of work) in Tomcat 7 with APR. Now I'm working with Jetty and I've tried everything but I can't make it work. The client certificates dialog never appears in the browser, and I always get an HTTP 403 error. My environment is: jdk 1.7.0.02, jetty 9.0.0.M3 launched from Eclipse Helios with m2e. (jetty:run) The server appears to have SSL renegotiation enabled, testing it as indicated here, so I'm quite sure there are no problems with the SSL Renegotiation Security issues. I've overrided ClientCertAuthenticator (same code, just to be able to debug) and created a custom LoginService, and it looks like the X509Cert never appears in the request. Looks like the SSL renegotiation is never triggered, and authentication fails, because there is not a certificate in the request. The LoginService configured simply returns true to every validation. I can post them too, if asked, but the important methods never get called. If I use needCLientCert or wantClientCert application works ok, but then browser asks for the certificate in the public area. My configuration files: web.xml: http://pastebin.com/LQ3RcWY4 jetty.xml: http://pastebin.com/iE9xqcLq jetty-context.xml: http://pastebin.com/rcSsBfRW pom.xml (jetty part): http://pastebin.com/wBLATggq Am I missing something obvious? I don't know. I've searched a lot and tried many possible configurations, but, no luck. --
AVISO
SOBRE CONFIDENCIALIDAD
CONFIDENTIALITY
NOTICE
|
