I am using client certificates in my application. Here is the configuration
i did
Step1:-
Added below snippet in tomcat-users.xml file
<role rolename="certrole"/>
<user username="ignoreAndCheckInWebApp" password="nopass"
roles="certrole"/>
Step 2:-
Added below sniipet in web.xml
<security-constraint>
<web-resource-collection>
<web-resource-name>Client Certificate Auth</web-resource-name>
<url-pattern>/MyClientAuthenticator.jsp</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>certrole</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
placed a jar file conatining MySSlAuthentication.java into the lib folder
of Tomcat.
Step3:-
Then added below valve element under tomcat\conf\context.xml
<Valve className="MySSlAuthentication"/>
So its more or less th eprocedure mentioned at
http://twoguysarguing.wordpress.com/2009/11/03/mutual-authentication-with-client-cert-tomcat-6-and-httpclient/
My understanding when browser tries to call the MyClientAuthenticator.jsp,
server asks the client certificate from browser. But why do we need two
entries
* <role rolename="certrole"/> *
*<user username="ignoreAndCheckInWebApp" password="nopass"
roles="certrole"/> *under tomcat-users.xml and what is the use of below
entry ?
*<auth-constraint>*
* <role-name>certrole</role-name>*
* </auth-constraint>*
