tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Steve Mitchell <>
Subject Authentication and roles (RFE)
Date Fri, 17 Dec 2010 00:36:21 GMT
I would like my Tomcat instance to authenticate different roles differently.  E.g., admins
must use SSL client auth, while regular users use HTTP basic authentication over SSL.  This
seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).

I have a workaround -- use an Apache reverse proxy for authentication.  The disadvantages
are that Tomcat roles are unavailable, and admin users and regular users connect to the same
resource with different URLs.  

The ideal solution would be to use SSL with selectable client authentication.  In this mode,
HTTP basic authentication would be skipped if the client had already presented a valid SSL
client certificate.  Can Tomcat be made to do this?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message