[From OTN]
Many security architects have the false impression that configuring two-way SSL is sufficient to verify the client and restrict access to only trusted clients. This is actually not the case. In fact, many people set up two-way SSL with Verisign and nothing else, despite the fact that Verisign is designed only for trust—not for authentication or any other type of application access restriction, for that matter.
In this how-to you will learn how to create a custom user name mapper class that maps various certificate attributes to a user in your security realm that you can then authenticate and use to restrict or allow access to your application. It will also cover how to configure your Oracle WebLogic application server to be used to authenticate the certificate passed to the server from the client to restrict client access to your application.
The article continues at
http://www.oracle.com/technology/pub/articles/damo-howto.html