tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Enabling Basic Authentication and SSL for the same WebApplication on Tomcat 6
Date Mon, 02 Mar 2009 22:39:29 GMT
Hash: SHA1


On 3/2/2009 10:24 AM, Bharath R wrote:
> I am new to web development. We have a servlet for which both Basic
> Authentication and SSL has to be enabled. We are using tomcat 6 to host our
> web application. I would like to know how do we configure the same
> application to enable both authentication.

Do you mean that you want to use SSL Client certificates as one mode of
authentication, and HTTP-BASIC as the backup? I don't think Tomcat does
that right out of the box. Maybe Acegi ("Spring Security") or JAAS can
provide that capability, but Tomcat doesn't do it directly.

You might want to check out these references:

> Say, if the users access the
> application from HTTP, it should request for username and password (Basic
> authentication) and if the users use https, it should authenticate using
> certificate. We are able to enable only one at a time, ie. either BASIC or
> SSL. How do we enable both for the same authentication?

The problem is that the authentication is set up on a per-webapp basis,
whereas the SSL configuration is done host-wide.

You could do this:

1. Create two <Host> entries in server.xml
2. Each <Host> gets one <Connector>
   One <Host> gets an SSL HTTP <Connector>
   Second <Host> gets an (non-ssl) HTTP <Connector>
3. Deploy one copy of your application into your first <Host>
   with login-config set to CLIENT-CERT
4. Deploy another copy of your application into the second
   <Host> with login-config set to BASIC

This should give you the desired result: SSL clients will always use
CLIENT-CERT and non-SSL clients will always use BASIC authentication.
Note that BASIC authentication over a non-encrypted connection is
essentially no security at all.

- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message