I am trying to mimic the weblogic SSL option "client certs requested but not enforced", where the web container will request SSL client certs from new https connections, but not require them in order to forward the request to the underlying web application. This seems appropriate for applications which manage their own security (and don't use container managed security).
When I configure the https-listener to enforce client certs, everything works fine (meaning my client certs and CA are properly configured). However using the web.xml configuration method described here:
https://glassfish.dev.java.net/javaee5/security/faq.html#configcert
I can't get things to work -- the server to does not seem to request client certs.
The key part of the FAQ seems to be "[i]the first request that qualifies for the <auth-constraint> will trigger the client-certificate authentication[/i]". Does this mean that I need to use container managed roles in order for the web.xml configuration to trigger the client certificate authentication? Is there any way that I can tell if the auth-constraint is being processed?
Another user seems to have a similar problem even though
http://forums.java.net/jive/thread.jspa?threadID=61477&tstart=0
[Message sent by forum member 'suggarglider' (suggarglider)]
http://forums.java.net/jive/thread.jspa?messageID=359792