Hi Tomcat users, A current application has client authentication configured in the SSL Connector (server.xml):
<Connector port="8443" ... clientAuth="true" keystoreFile=".keystore" keystorePass="..." truststoreFile=".truststore" truststorePass="..." /> And the CA root certificates have been added to the truststore. This way it asks for a client certificate in any case, which works and is fine for this application. For a new application the use case is a bit different. I only need client authentication for a specific defined path (for example: /secured/*). After some research I found this was possible with defining this on application level in the web.xml file. So I changed my configuration to: server.xml: <Connector port="8443" ... clientAuth="false" keystoreFile=".keystore" keystorePass="..." truststoreFile=".truststore" truststorePass="..." /> web.xml: <security-constraint> <web-resource-collection> <web-resource-name>Secureconn</web-resource-name> <url-pattern>/secured/*</url-pattern> <http-method>GET</http-method> </web-resource-collection> <auth-constraint> <role-name>secureconn</role-name> </auth-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>Secureconn</realm-name> </login-config> <security-role> <role-name>secureconn</role-name> </security-role> In this case it actually only asks for client authentication when going to for example "secured/home" page. But I'm getting a 401 message code. What am I missing to get people authenticated based on the CA root certificates that are in the configured truststore? Is it even possible what I am trying? Greetings, Nathan --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org