tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Apache Wiki <wikidi...@apache.org>
Subject [Tomcat Wiki] Update of "SSLWithFORMFallback" by KonstantinKolinko
Date Sat, 28 Aug 2010 18:04:56 GMT
Dear Wiki user,

You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.

The "SSLWithFORMFallback" page has been changed by KonstantinKolinko.
The comment on this change is: Added CategoryFAQ link, Added links to two related pages..
http://wiki.apache.org/tomcat/SSLWithFORMFallback?action=diff&rev1=11&rev2=12

--------------------------------------------------

  
  Note: Tested with Tomcat 5.5.17, 5.5.20 and 5.5.25
  
+ See also:
+ 
+  * [[SSLWithFormFallback6]]
+  * [[SSLWithFormFallbackAuthenticator]]
+ 
- SSL Client Authentication (sometimes also known as "Client Certificate" authentication)
uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is
accomlished by configuring SSL in Tomcat, and then configuring the Web Application's security
descriptor to use "CLIENT-CERT" as the auth-method in the login-config section.
+ SSL Client Authentication (sometimes also known as "Client Certificate" authentication)
uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is
accomplished by configuring SSL in Tomcat, and then configuring the Web Application's security
descriptor to use "CLIENT-CERT" as the auth-method in the login-config section.
  
  We found that we wanted to implement 2 levels of security - client authentication based
on SSL certificates for serious security, but FORM based login as a fallback option. This
requirement can exist for a number of reasons:
  
@@ -15, +20 @@

   * to allow different "user-levels" - high security vs. low security, with different functions
available
   * etc...
  
- In trying to implement this, we found the only "standard conformant" solution was to install
the web application multiple times with different authentication configurations. This solution
was very unsatisfactory for us, as it leads to a duplication of services, and the serives
are accessible under different URLs/Ports depending on the desired security level. That just
wasn't what we wanted.
+ In trying to implement this, we found the only "standard conformant" solution was to install
the web application multiple times with different authentication configurations. This solution
was very unsatisfactory for us, as it leads to a duplication of services, and the services
are accessible under different URLs/Ports depending on the desired security level. That just
wasn't what we wanted.
  
  So the following solution, unfortunately, is not standards-conformant. This is because the
J2EE standard, while deferring authentication to the container, specifies the authentication
method in the webapplication deployment descriptor (web.xml). There, only one login-config
section is allowed, which counts for the whole application. It does not permit you to configure
a fallback login method.
  
@@ -150, +155 @@

  
  Should you have questions about the code, please feel free to contact me (the Author) at:
 runger --AT-- aon.at
  
+ ----
+ [[CategoryFAQ]]
+ 

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message