using inspect: request.getAuthType() (java.lang.String) CLIENT-CERT HttpServletRequest.CLIENT_CERT_AUTH (java.lang.String) CLIENT_CERT api says they should be the same object (== should work)
Created attachment 19396 [details] Fix for CLIENT_CERT/CLIENT-CERT mismatch The auth-methodType value 'CLIENT-CERT' is defined in the web-app DTDs and XSDs, but HttpServletRequest.java uses 'CLIENT_CERT'. The Tomcat internal Request class correctly uses 'CLIENT-CERT'. This patch fixes HttpServletRequest to match the descriptor definition.
-1 for this patch. As per the spec: CLIENT-CERT is for use in web.xml CLIENT_CERT is the value of HttpServletRequest.CLIENT_CERT_AUTH and should be returned by HttpServletRequest.getAuthType() The bug that needs to be fixed is that HttpServletRequest.getAuthType() should return CLIENT_CERT rather than CLIENT-CERT
I have committed an alternative fix. It will be in 5.5.21 onwards.