Hi Tomcat users,

A current application has client authentication configured in the SSL
Connector (server.xml):

<Connector port="8443"
...
clientAuth="true"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>

And the CA root certificates have been added to the truststore.

This way it asks for a client certificate in any case, which works and
is fine for this application.
For a new application the use case is a bit different. I only need
client authentication for a specific defined path (for example: /secured/*).
After some research I found this was possible with defining this on
application level in the web.xml file. So I changed my configuration to:

server.xml:

<Connector port="8443"
...
clientAuth="false"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>

web.xml:

    <security-constraint>
        <web-resource-collection>
            <web-resource-name>Secureconn</web-resource-name>
            <url-pattern>/secured/*</url-pattern>
            <http-method>GET</http-method>
        </web-resource-collection>
        <auth-constraint>
            <role-name>secureconn</role-name>
        </auth-constraint>
    </security-constraint>
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
        <realm-name>Secureconn</realm-name>
    </login-config>
    <security-role>
        <role-name>secureconn</role-name>
    </security-role>


In this case it actually only asks for client authentication when going
to for example "secured/home" page.
But I'm getting a 401 message code.

What am I missing to get people authenticated based on the CA root
certificates that are in the configured truststore? Is it even possible
what I am trying?

Greetings,
Nathan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to