Re: Using different SSL-connector settings for various Context

Tue, 04 Feb 2014 08:18:06 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Арсений,

On 2/4/14, 6:32 AM, Арсений Зинченко wrote:
> Hi.
> 
> Task is - have ability to use HTTP/HTTPS without clientAuth for
> ROOT, but enable two-factor auth (clientAuth="true" and using
> trustedstore.jks) for other Context.
> 
> Can somebody please any tips?

You have two options:

1. Set clientAuth="want" in the <Connector> and then set
<auth-type>CLIENT-CERT</auth-type> in your application's web.xml (this
will force the user to provide a certificate to authenticate to the
web application when necessary, but not until they hit a protected
resource).

2. Use more than one <Connector> with different clientAuth settings,
and map the connectors separately to your web application. Note that
Tomcat can't do this directly for you. Instead, you'd have to put
another network component (such as httpd) in front of Tomcat, like this:

HTTPS:443  --> httpd  --- 8443  ---> /webappA
                 |
                 +------- 8444  ---> /webappB

You don't have to use HTTPS between httpd and Tomcat; you can use AJP
which can send the client certificate over to Tomcat just fine.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJS8RKIAAoJEBzwKT+lPKRY3F8P/17JAoEVQNUaPkJBepQ/bsUy
XRb8EL28VdZdarA8k45Aehw018pYIl3mnfPhZCBH1SbCkmRI9vzw20IHWlslYtNo
tT+TgPeQRbUH/iLbScGQf+4GZ17peOooD6k2ksvTAZcYDu1Mqp92WEq7oDYNX6oQ
QDB35G3Vje+7AgRn5E8BYTNwTacncrzuZ0J5WEu5boG/tB7LM4iRXVd52KNh8DcX
6qabwmEAgv3MKsPPcLmU+Mnlzj3hDWbbKVha9Hft5vkJ1M8aPHqZh0HrfjTWlpgM
yQeZTmgsr7l+qTgCBJrr/96enEgJjrojBqflR7IMWtGbq9M2eUkQ37AFHUd5yUYV
Hqb53lvdR2H2YFcwb0b8MKhCSZoWXGrKSHiDLGWVFqJ2+3uLmiCQfi3S6IFwy2Cx
FAR4H1DBbsJRrSqe4Rx8dlpgScKJoSz28cCRfvnjhd2UqDuW3d+CEhR/o4dAZZIe
3ktt2pl4PP2lrusKTp4P+YhBufEyDI+Q8qeB8pVyGrbz0HzlvQybevBJbl21rlW9
n2nB9gAM8rQEe+M13qbJTxd/04QfWbq3UhACbjoz3pTPgwUjmjkc4i7bQJzP61MK
PtrOTcdAIcdyjfaQ0m6eWVz+LloVTFhxnVqXhm4I+y3F0+5UAHrkhsMRa1IYgaGO
hfRiTJV8byO37WAKF+j+
=HzpO
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to