Return-Path: 
 <tomcat-user-return-129452-apmail-jakarta-tomcat-user-archive=jakarta.apache.org@jakarta.apache.org>
Delivered-To: apmail-jakarta-tomcat-user-archive@www.apache.org
Received: (qmail 4022 invoked from network); 2 Jul 2005 04:57:25 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 2 Jul 2005 04:57:25 -0000
Received: (qmail 88398 invoked by uid 500); 2 Jul 2005 04:57:05 -0000
Delivered-To: apmail-jakarta-tomcat-user-archive@jakarta.apache.org
Received: (qmail 88384 invoked by uid 500); 2 Jul 2005 04:57:05 -0000
Mailing-List: contact tomcat-user-help@jakarta.apache.org; run by ezmlm
Precedence: bulk
List-Unsubscribe: <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
List-Help: <mailto:tomcat-user-help@jakarta.apache.org>
List-Post: <mailto:tomcat-user@jakarta.apache.org>
List-Id: "Tomcat Users List" <tomcat-user.jakarta.apache.org>
Reply-To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Delivered-To: mailing list tomcat-user@jakarta.apache.org
Received: (qmail 88371 invoked by uid 99); 2 Jul 2005 04:57:05 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jul 2005 21:57:05 -0700
X-ASF-Spam-Status: No, hits=1.2 required=10.0
	tests=PRIORITY_NO_NAME
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: domain of jak-tomcat-user@m.gmane.org
 designates 80.91.229.2 as permitted sender)
Received: from [80.91.229.2] (HELO ciao.gmane.org) (80.91.229.2)
    by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Jul 2005 21:57:06 -0700
Received: from list by ciao.gmane.org with local (Exim 4.43)
	id 1DoZwB-0005s6-F9
	for tomcat-user@jakarta.apache.org; Sat, 02 Jul 2005 06:49:07 +0200
Received: from pool-71-104-88-111.lsanca.dsl-w.verizon.net ([71.104.88.111])
        by main.gmane.org with esmtp (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <tomcat-user@jakarta.apache.org>; Sat, 02 Jul 2005 06:49:07 +0200
Received: from wbarker by pool-71-104-88-111.lsanca.dsl-w.verizon.net with
 local (Gmexim 0.1 (Debian))
        id 1AlnuQ-0007hv-00
        for <tomcat-user@jakarta.apache.org>; Sat, 02 Jul 2005 06:49:07 +0200
X-Injected-Via-Gmane: http://gmane.org/
To: tomcat-user@jakarta.apache.org
From: "Bill Barker" <wbarker@wilshire.com>
Subject: Re: Certificate Authentication for individual apps
Date: Fri, 1 Jul 2005 21:56:37 -0700
Lines: 86
Message-ID: <da56bl$umr$1@sea.gmane.org>
References: <WorldClient-F200507011512.AA12581679@robosoftin.com>
 <42C553EC.6000308@jbgb.com>
 <WorldClient-F200507020928.AA28031909@robosoftin.com>
X-Complaints-To: usenet@sea.gmane.org
X-Gmane-NNTP-Posting-Host: pool-71-104-88-111.lsanca.dsl-w.verizon.net
X-MSMail-Priority: Normal
X-Newsreader: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180
X-RFC2646: Format=Flowed; Original
Sender: news <news@sea.gmane.org>
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N


"Mahesh S Kudva" <mahesh.kudva@robosoftin.com> wrote in message 
news:WorldClient-F200507020928.AA28031909@robosoftin.com...
> Hi All
>
> Thanks for the note. May be I was not clear in my earlier mail.
>
>
> I have client authentication using certificates. I want to skip client
> auth for certain hosted applications on the server but preserve client
> auth for other apps.
>

On the Connector leave the 'clientAuth' attribute as 'false' (or use 
'want', if you really want to be annoying :).  Then in the webapps that care 
setup your web.xml files with something like:
  <login-config>
       <auth-method>CLIENT-CERT</auth-method>
  </login-config>

In this case, any page protected by a <security-constraint> will force the 
user to send a client-cert.  Unfortunately, most of the production-quality 
Realms that ship with Tomcat don't support CLIENT-CERT auth.

For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that you 
can use to do the same thing.  If you need it, search the archives.

> Regards & Thanks
> ================
> Mahesh S Kudva
>
>
> -----Original Message-----
> From: Paul Singleton <paul@jbgb.com>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Date: Fri, 01 Jul 2005 15:32:12 +0100
> Subject: Re: Certificate Authentication for individual apps
>
>> Mahesh S Kudva wrote:
>>
>> > How can I have different certificate authentication for different
>> applications and skip certificate
>> > authentication for some applications hosted on the same server.
>>
>> I believe that, at least under SSL, certificates authenticate
>> *servers* not applications, and that the Connector offers a
>> certificate before it checks, or regardless of, the context
>> path within that server.
>>
>> So you need to deploy each app at a different (virtual) host,
>> each with a different IP address.  We do this currently with
>> 5.5.9.  You can use the default keystore for all hosts, and
>> use the (undocumented) keyAlias="myalias" Connector attribute
>> to offer the appropriate certificate for each host, e.g.
>>
>> <Connector
>>   address="288.104.197.211"
>>   port="8443"
>>   scheme="https"
>>   secure="true"
>>   sslProtocol="TLS"
>>   keyAlias="mrk2"
>> />
>>
>> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
>>
>> Paul Singleton
>>
>>
>> -- 
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
>> 30/Jun/2005
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development 




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org