Although I don't know Glassfish very well, here is an additional suggestion.
On top of supporting "true", "want" and "false" in its "clientAuth" attribute,
Apache Tomcat also has an "SSLImplementation" attribute (case sensitive), which
makes it possible to specify an alternative SSLImplementation, with additional
properties. This option seems only documented up to Tomcat 3.3 , but it still
works in version 6.
For example, here is an implementation that uses jSSLutils:
Provided its jar file is in Tomcat's lib directory, it's able to read a couple
of extra attributes from the <Connector /> element in the Tomcat configuration.
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="..." keystoreType="JKS" keystorePass="..."
truststoreType="JKS" truststoreFile="..." truststorePass="..."
acceptAnyCert="true" clientAuth="want" sslProtocol="TLS" />
In this example, "acceptAnyCert" is an attribute that the default
SSLImplementation doesn't support, but which is supported by
Perhaps there could be something similar Glassfish, where one could specific the
equivalent of an SSLImplementation and which would read additional properties
(perhaps nested within <http-listener /> or within <ssl />).
The benefits of this approach is that it makes it possible to have more unusual
configurations of an SSLContext. I've used it with jSSLutils and added a couple
- one to trust any certificate (that's the one useful for what Henry/bblfish is
- one to trust proxy certificates.
I've also seen this SSLImplementation attribute used (without jSSLutils) in the