tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier>
Subject Re: Using different SSL-connector settings for various Context
Date Tue, 04 Feb 2014 13:12:28 GMT

Please don't top post here. Respond below the text to which you are responding.
It's easier to read that way. See below.

> 2014-02-04 André Warnier <>:
>> Арсений Зинченко wrote:
>>> Hi.
>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, but
>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks) for
>>> other Context.
>>> Can somebody please any tips?
>> I don't know much about SSL, but isn't the answer right here ?
>> clientAuth
>> Set to true if you want the SSL stack to require a valid certificate chain
>> from the client before accepting a connection. Set to want if you want the
>> SSL stack to request a client Certificate, but not fail if one isn't
>> presented. A false value (which is the default) will not require a
>> certificate chain unless the client requests a resource protected by a
>> security constraint that uses CLIENT-CERT authentication.
>> If I understand the above correctly, then setting clientAuth="false" in
>> the Connector, and then requesting a CLIENT-CERT authentication only in
>> your "other Context", should do the trick, no ?

Арсений Зинченко wrote:
 > Yes, this is exactly what I'm want and I see this manual to.
 > But - how to specify different clientAuth= for different Context's ? I
 > found "SSL Authenticator
 > Valve<>"
 > - but there is nohting about how to do it... And I don't see any
 > possibility to make with any other Context
 > options<>...
Sorry, as I mentioned earlier, I do not know much about SSL and cannot help you with the 

One thing though : the setup of an SSL connection happens *before* Tomcat even knows to 
which application the browser wants to talk.  Some properties of that connection may not 
be changeable anymore, at the level of a Context.
You can just tell the Context to make use or not of some of these properties, not really 
change them.

In your case though, it seems that you want the following :
- clients connect via SSL
- some Context's then (later) require clientAuth
- and some other Context's (later) do not require clientAuth
That should be solvable just by the <auth-requirements> of each Context.

If you want some Context's to be accessible via HTTP/HTTPS, and others only via HTTPS, 
that also is a parameter that you can specify in each context's web.xml.
(<transport-guarantee> or something like that)

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message