Details
-
Bug
-
Resolution: Done
-
Major
-
7.0.0.Alpha4
-
None
Description
Consider the scenario:
- The client enables the authentication thru ConfigurationBuilder (i.e cb.security().authentication())
- The Server's SSL configuration doesn't require client authentication (i.e require-ssl-client-auth="false") and in addition the security-realm's <authentication .../> doesn't include a <truststore .../>
In such a scenario the client is unable to authenticate as the following exception is thrown in the server side logs:
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
One sided communication encryption (with client storing server's certificate in its trust store) should be supported particularly when the client wants to authenticate via credentials