tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: Certificate Authentication for individual apps
Date Sat, 02 Jul 2005 04:56:37 GMT

"Mahesh S Kudva" <mahesh.kudva@robosoftin.com> wrote in message 
news:WorldClient-F200507020928.AA28031909@robosoftin.com...
> Hi All
>
> Thanks for the note. May be I was not clear in my earlier mail.
>
>
> I have client authentication using certificates. I want to skip client
> auth for certain hosted applications on the server but preserve client
> auth for other apps.
>

On the Connector leave the 'clientAuth' attribute as 'false' (or use 
'want', if you really want to be annoying :).  Then in the webapps that care 
setup your web.xml files with something like:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>

In this case, any page protected by a <security-constraint> will force the 
user to send a client-cert.  Unfortunately, most of the production-quality 
Realms that ship with Tomcat don't support CLIENT-CERT auth.

For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that you 
can use to do the same thing.  If you need it, search the archives.

> Regards & Thanks
> ================
> Mahesh S Kudva
>
>
> -----Original Message-----
> From: Paul Singleton <paul@jbgb.com>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Date: Fri, 01 Jul 2005 15:32:12 +0100
> Subject: Re: Certificate Authentication for individual apps
>
>> Mahesh S Kudva wrote:
>>
>> > How can I have different certificate authentication for different
>> applications and skip certificate
>> > authentication for some applications hosted on the same server.
>>
>> I believe that, at least under SSL, certificates authenticate
>> *servers* not applications, and that the Connector offers a
>> certificate before it checks, or regardless of, the context
>> path within that server.
>>
>> So you need to deploy each app at a different (virtual) host,
>> each with a different IP address.  We do this currently with
>> 5.5.9.  You can use the default keystore for all hosts, and
>> use the (undocumented) keyAlias="myalias" Connector attribute
>> to offer the appropriate certificate for each host, e.g.
>>
>> <Connector
>>   address="288.104.197.211"
>>   port="8443"
>>   scheme="https"
>>   secure="true"
>>   sslProtocol="TLS"
>>   keyAlias="mrk2"
>> />
>>
>> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
>>
>> Paul Singleton
>>
>>
>> -- 
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
>> 30/Jun/2005
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message