(NOTE: I've asked the exact same question in stackoverflow but I
think it's too specific or complex to be answered there:
http://stackoverflow.com/questions/14408958/how-can-i-make-client-cert-ssl-renegotiation-work-in-jetty)
I have a webapp that
has a public https area, and a private https protected with client
certificate using SSL renegotiation. This configuration works
correctly (not without a lot of work) in Tomcat 7 with APR.
Now I'm working with
Jetty and I've tried everything but I can't make it work.
The client
certificates dialog never appears in the browser, and I always get
an HTTP 403 error.
My environment is:
jdk 1.7.0.02, jetty 9.0.0.M3 launched from Eclipse Helios with
m2e. (jetty:run)
The server appears
to have SSL renegotiation enabled, testing it as indicated here, so I'm quite sure
there are no problems with the SSL Renegotiation Security issues.
I've overrided
ClientCertAuthenticator (same code, just to be able to debug) and
created a custom LoginService, and it looks like the X509Cert
never appears in the request.
Looks like the SSL
renegotiation is never triggered, and authentication fails,
because there is not a certificate in the request.
The LoginService
configured simply returns true to every validation. I can post
them too, if asked, but the important methods never get called.
If I use
needCLientCert or wantClientCert application works ok, but
then browser asks for the certificate in the public area.
My configuration
files:
web.xml: http://pastebin.com/LQ3RcWY4
jetty.xml: http://pastebin.com/iE9xqcLq
jetty-context.xml: http://pastebin.com/rcSsBfRW
pom.xml (jetty
part): http://pastebin.com/wBLATggq
Am I missing
something obvious? I don't know. I've searched a lot and tried
many possible configurations, but, no luck.
--
AVISO
SOBRE CONFIDENCIALIDAD
Este mensaje (incluido cualquier adjunto) contiene
información que puede
ser confidencial. A menos que sea usted el destinatario (o
autorizado por
este), se le informa de que la información contenida en el
mismo es reservada y
su utilización o divulgación con cualquier fin está
prohibida. Si ha recibido
este mensaje por error, le rogamos que nos lo comunique
respondiendo al correo
electrónico o por teléfono y proceda a su destrucción,
incluido cualquier
adjunto.
CONFIDENTIALITY
NOTICE
This message (including any attachments) contains
information that may be
confidential. Unless you are the intended recipient (or
authorized to
receive for the intended recipient), you may not read,
print, retain, use,
copy, distribute or disclose to anyone the message or any
information contained
in the message. If you have received the message in error,
please advise
the sender by reply e-mail, and destroy all copies of the
original message
(including any attachments).