-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Gary,
On 2/7/14, 1:32 AM, Gary Briggs wrote: > Evening, > > I've been reading this page: > http://wiki.apache.org/tomcat/SSLWithFORMFallback I'm currently > using Tomcat 7 on Linux. In short, Neither of the bits of code > linked on that page work for me but the thing described in the > title is what I desire. > > I have client certificate authentication working fully within my > needs, but I'm looking for a fallback so I can support allow users > without one of the appropriate smart cards being able to get in. > BasicAuth would also be fine for this project, although I'd much > rather it were a form. > > Additionally, I'm unclear on what the purpose of "optional" is on > the clientAuth parameter of a Connector,if it's not for the purpose > of some other fallback authentication mechanism to work. Maybe it's > just implemented because it's integral to the TLS implementation? > > Another option is to configure the trust store appropriately, then > self-sign certificates and pass them out. That's still a little > hostile to the users that don't have smartcards in the first place; > I have my Realm hitting up an LDAP server with a username-pass > tuple that non-smartcard-wielding users already have an account > on. FWIW, use of an SSL client certificate does improve the security by adding a second factor to the existing username-password tuple that you already have. For the smart-card users, they already "have" something, and if they are the kinds of smart cards I know about, they also require something you know to activate them. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJS9TqtAAoJEBzwKT+lPKRYI0IQAIPrFbqLV701yZSCUkbYMkVZ xxYSkITliJ9ZqbbHXoDuMDGDgjXY/p7Bjgwarx/e6DCPSpE6I4kCIWj0WkbPJYQZ D3uV7/132izPDPFpFMwbsmTsQGB/ruvDIO+YsQUQBcbFhSVzRotcTKEjKTimf0wv CytsIN2Rjkey+xKdyNaj/LIwi+YKSREWoxdWdRJwOmp95xku5BuxOFiaE6Gi2HDP CCqxyC3zatnocdW+xY86Bw2hKnGLfusBsWrQUnwjjL1FHKl2PZgAhKLqX4zC1k2E d1LYerXj1co5p34tx6mWD3DkiPxODmRUGymZvJzGSwrz9JuDy9uj6yVU0MDP2/oL GoHQZFx5KggMIFyj2oiVFnKDz8YGFgij/Q4eeUsAYpx0rssJNTo2eXQ/mArATXqf YLAR3trNlULYmmPSMKwuVuKF+KI9uAnnyMvl3jPb6yd2nhZH77m3EjaesX/xRrLU GK0ZDxkbXYdSanP3dCa0ud1qXXfXpli9uIMGVY6lzdRUdrH+t8JQH1rbSPb7nYp3 AakUK/YPd6gPv//3uTmtxFvWW00f9brdP7hHMvVtnQvqjETH4c5sfooMnRWBzpQm YNoxKie1ekfJ99KVkX2NXVfJUmpUTrrIZTuUGFGhCTuYOKSl26tDtwXra2z6tgkX HT5cg7/Mlb5gUJBvkJKe =NEAD -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
