Hi.
Please don't top post here. Respond below the text to which you are responding.
It's easier to read that way. See below.
2014-02-04 André Warnier <a...@ice-sa.com>:
Арсений Зинченко wrote:
Hi.
Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
other Context.
Can somebody please any tips?
I don't know much about SSL, but isn't the answer right here ?
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
clientAuth
Set to true if you want the SSL stack to require a valid certificate chain
from the client before accepting a connection. Set to want if you want the
SSL stack to request a client Certificate, but not fail if one isn't
presented. A false value (which is the default) will not require a
certificate chain unless the client requests a resource protected by a
security constraint that uses CLIENT-CERT authentication.
If I understand the above correctly, then setting clientAuth="false" in
the Connector, and then requesting a CLIENT-CERT authentication only in
your "other Context", should do the trick, no ?
Арсений Зинченко wrote:
> Yes, this is exactly what I'm want and I see this manual to.
> But - how to specify different clientAuth= for different Context's ? I
> found "SSL Authenticator
>
Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/valve.html#SSL_Authenticator_Valve>"
> - but there is nohting about how to do it... And I don't see any
> possibility to make with any other Context
>
options<http://tomcat.apache.org/tomcat-7.0-doc/config/context.html#Context_Parameters>...
>
>
Sorry, as I mentioned earlier, I do not know much about SSL and cannot help you with the
details.
One thing though : the setup of an SSL connection happens *before* Tomcat even knows to
which application the browser wants to talk. Some properties of that connection may not
be changeable anymore, at the level of a Context.
You can just tell the Context to make use or not of some of these properties, not really
change them.
In your case though, it seems that you want the following :
- clients connect via SSL
- some Context's then (later) require clientAuth
- and some other Context's (later) do not require clientAuth
That should be solvable just by the <auth-requirements> of each Context.
If you want some Context's to be accessible via HTTP/HTTPS, and others only via HTTPS,
that also is a parameter that you can specify in each context's web.xml.
(<transport-guarantee> or something like that)
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
