Christopher/Pid, Thanks for your reply. If I set clientAuth="want" will it not ask me for a certificate every time I create a new session? And if I'm forwarding (or redirecting) from a page that only requires straight SSL with server authentication to one which requires mutual authentication, will it force the browser to prompt for a client certificate?
Sanjeev. -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, February 13, 2012 4:23 PM To: Tomcat Users List Subject: Re: controlling Server Authentication only vs Mutual authentication -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Pid, On 2/13/12 3:39 PM, Pid wrote: > On 13/02/2012 17:42, Christopher Schultz wrote: >> Sanjeev, >> >> On 2/9/12 11:17 AM, Sanjeev Sharma wrote: >>> I work on an java web-app running on Tomcat 7. The entire >>> application is required be doing SSL on port 443 (everything is >>> accessed via https://). Two different login options are given >>> to the user : username/password or client certificate >>> authentication. We employ application-managed security as >>> opposed to contain-manage (i.e. we don't use realms). I have >>> the following connector in my server.xml: >> >>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >>> maxThreads="150" scheme="https" secure="true" >>> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit" >>> truststoreFile="d:\certs\truststore.jks" >>> truststorePass="changeit" clientAuth="true" sslProtocol="TLS" >>> /> >> >> >>> This forces mutual authentication on anything I try to access >>> using https. How can I configure tomcat so that only specific >>> links (a specific struts action for example) would require >>> mutual authentication or how can I exclude from the mutual >>> authentication. >> >> I think what you want is clientAuth="want" and then you can >> maybe write a Filter that requires certain SSL certificate >> features in order to pass-through. Then, just map your Filter to >> those areas that require (additional?) SSL authentication. > > Is this a variation on the SSLFormFallback thing again? It's tough to tell. At any rate, here's the link for the OP: http://wiki.apache.org/tomcat/SSLWithFORMFallback - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk85f0cACgkQ9CaO5/Lv0PCGswCfQYAJWL099gO+Qe7/Q7nrKtrl GJUAni7zQNZyWjonMnygEmCraQXsGf/+ =XBwa -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
