Hi Tomcat users,
A current application has client authentication configured in the SSL
Connector (server.xml):
<Connector port="8443"
...
clientAuth="true"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>
And the CA root certificates have been added to the truststore.
This way it asks for a client certificate in any case, which works and
is fine for this application.
For a new application the use case is a bit different. I only need
client authentication for a specific defined path (for example: /secured/*).
After some research I found this was possible with defining this on
application level in the web.xml file. So I changed my configuration to:
server.xml:
<Connector port="8443"
...
clientAuth="false"
keystoreFile=".keystore"
keystorePass="..."
truststoreFile=".truststore"
truststorePass="..."
/>
web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>Secureconn</web-resource-name>
<url-pattern>/secured/*</url-pattern>
<http-method>GET</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>secureconn</role-name>
</auth-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>Secureconn</realm-name>
</login-config>
<security-role>
<role-name>secureconn</role-name>
</security-role>
In this case it actually only asks for client authentication when going
to for example "secured/home" page.
But I'm getting a 401 message code.
What am I missing to get people authenticated based on the CA root
certificates that are in the configured truststore? Is it even possible
what I am trying?
Greetings,
Nathan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
