tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sanjeev Sharma <sanjeev.sha...@buchanan-edwards.com>
Subject RE: controlling Server Authentication only vs Mutual authentication
Date Fri, 10 Feb 2012 16:45:48 GMT
Found a solution to this.  In case anyone is interested in, I gave my server two IP addresses
and used two connectors with the two IP address in the "address=" field of the connectors.
 I set one of them to "clientAuth="true" and the other "clientAuth=false".  I do have to do
a "redirect" from one to the other when I would've preferred to "forward", but otherwise this
solution works.

-----Original Message-----
From: Sanjeev Sharma [mailto:sanjeev.sharma@buchanan-edwards.com] 
Sent: Thursday, February 09, 2012 11:18 AM
To: Tomcat Users List
Subject: controlling Server Authentication only vs Mutual authentication

Hi,

I work on an java web-app running on Tomcat 7.  The entire application is required be doing
SSL on port 443 (everything is accessed via https://).  Two different login options are given
to the user : username/password or client certificate authentication.  We employ application-managed
security as opposed to contain-manage (i.e. we don't use realms).  I have the following connector
in my server.xml :

<Connector port="443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           maxThreads="150"
           scheme="https"
           secure="true"
           keystoreFile="d:\certs\server_cert.jks"
           keystorePass="changeit"
           truststoreFile="d:\certs\truststore.jks"
           truststorePass="changeit"
           clientAuth="true"
           sslProtocol="TLS" />


This forces mutual authentication on anything I try to access using https.  How can I configure
tomcat so that only specific links (a specific struts action for example) would require mutual
authentication or how can I exclude from the mutual authentication.

Thanks,
Sanjeev.
Mime
View raw message