tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Delbecq <david.delb...@oma.be>
Subject Re: Tomcat and client certificates
Date Wed, 01 Feb 2006 18:44:49 GMT
Hi
Yes, it is possible. From connector configuration doc:
  clientAuth: 
  Set this value to true if you want Tomcat to require all SSL clients to 
present a client Certificate in order to use this socket.
  Set this value to want if you want Tomcat to request a client Certificate, 
but not fail if one isn't presented.

So in your configuration, change clientAuth="false" to clientAuth="want" and 
connector will accept connection be there a certificate or not. But don't 
forget 
        <login-config>
                <auth-method>CLIENT-CERT</auth-method>
        </login-config>
means access to /html/* will be refused to users not presenting a certificate. 
(They can still access other webapps in tomcat if those have a login-config 
not based on certificate and they can also browse in ssl the non restricted 
area of client-cert based webapp)
for sensitive areas, you might also be interrested in adding, in particular 
for basic authentification based webapps
           ...
                <user-data-constraint>
                      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
                </user-data-constraint>
           </security-constraint>

Le Mercredi 01 Février 2006 17:55, Markus a écrit :
>Creating client certs is no problem, I already had client
>authentication working on the Connector-Level.
>
>Nick:
>In other words: it is NOT possible in tomcat to have a webapp with
>BOTH, a private part with ssl AND client authentication and a public
>part with ssl but WITHOUT client authentication?
>
>That would be sad.
>
>
>Markus
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>For additional commands, e-mail: users-help@tomcat.apache.org

-- 

David Delbecq
Royal Meteorological Institute of Belgium

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message