tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Meren, Libby" <>
Subject Tomcat SSL with both client-auth and server-auth?
Date Wed, 01 May 2002 06:58:56 GMT

Is it possible to set up a tomcat (3.2.3) server with both client and
server-authentication running?  I've set up a server.xml file with two
connectors (with different port no.s specified, and one having
client-auth=true, the other client-auth=false).  I can run the server and
connect to each of the areas (I've specified them as different contexts, eg
path="/client" and path="/server") as specified, however I'm concerned that
the two authentication levels aren't being enforced.

For example, if I connect to the server-authenticated area (eg
https://localhost:8443/server), the security is my site's certificate.
However, if I then change the link in the browser window (eg to
https://localhost:8444/client) I am not required to present/select my
certificate to authenticate to the server.  In other words, it has
maintained the server-authentication specified in the first connection.
This also works in reverse: if I connect via client-auth (and present my
cert), I can then move to the server-authenticated area without any fuss.  I
suspect this is because this is all one session, and I haven't successfully
set up Tomcat to accept multiple auth-levels within the one session (or this
isn't possible).

Can someone please help?

Thanks very much!

To unsubscribe:   <>
For additional commands: <>
Troubles with the list: <>

View raw message