tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From rnilsen <>
Subject Client-cert authentication across web-applications
Date Thu, 11 May 2006 13:55:20 GMT

I have been thinking about replacing the legacy username/password system
used today in my web-applications to use autentication with personal
certificates via client-cert authentication. The problem is that I need to
run multiple instances of the same web-application with different users in
each instance. The way it is done now is thru a legacy system checking the
database if username/password match, then generating a session - which
should still be possible if the webapp is not set up to use client-cert

The examples I see are all based on usernames and password (depending on
authenticaiton) placed in a spesific tomcat file - and I can't do that, it
needs to be put into the legacy database for the spesific instance. The plan
is to have the user, when entering without a personal certificate, just
enter his/her e-mail address in a field, then posted to a servlet residing
in the spesific web-application which then produces and e-mail with an url
and a random confirmation key. When the user clicks this url, he/she will
get the certificate request produced by a servlet which the browser will ask
the user to accept.

So, is it possible to a) have autentication split on each web-app and b)
have the user authentication be base on a legacy system thru e.g. a class in
the web-application itself?
View this message in context:
Sent from the Tomcat - User forum at

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message