Re: Enabling Basic Authentication and SSL for the same WebApplication on Tomcat 6

Mon, 02 Mar 2009 14:40:04 -0800 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Bharath,

On 3/2/2009 10:24 AM, Bharath R wrote:
> I am new to web development. We have a servlet for which both Basic
> Authentication and SSL has to be enabled. We are using tomcat 6 to host our
> web application. I would like to know how do we configure the same
> application to enable both authentication.

Do you mean that you want to use SSL Client certificates as one mode of
authentication, and HTTP-BASIC as the backup? I don't think Tomcat does
that right out of the box. Maybe Acegi ("Spring Security") or JAAS can
provide that capability, but Tomcat doesn't do it directly.

You might want to check out these references:
http://raibledesigns.com/rd/entry/using_jaas_with_tomcat
http://acegisecurity.org/

> Say, if the users access the
> application from HTTP, it should request for username and password (Basic
> authentication) and if the users use https, it should authenticate using
> certificate. We are able to enable only one at a time, ie. either BASIC or
> SSL. How do we enable both for the same authentication?

The problem is that the authentication is set up on a per-webapp basis,
whereas the SSL configuration is done host-wide.

You could do this:

1. Create two <Host> entries in server.xml
2. Each <Host> gets one <Connector>
   One <Host> gets an SSL HTTP <Connector>
   Second <Host> gets an (non-ssl) HTTP <Connector>
3. Deploy one copy of your application into your first <Host>
   with login-config set to CLIENT-CERT
4. Deploy another copy of your application into the second
   <Host> with login-config set to BASIC

This should give you the desired result: SSL clients will always use
CLIENT-CERT and non-SSL clients will always use BASIC authentication.
Note that BASIC authentication over a non-encrypted connection is
essentially no security at all.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkmsYCEACgkQ9CaO5/Lv0PBboACfT/NQJ5unU7cp8REwS/JB742v
x4EAoKAE2aWTB/iw4NEDq0/E9mSer1o3
=Ne49
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to