Return-Path: 
 <users-return-254995-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id EAB261871E
	for <apmail-tomcat-users-archive@www.apache.org>;
 Mon,  5 Oct 2015 11:05:30 +0000 (UTC)
Received: (qmail 54772 invoked by uid 500); 5 Oct 2015 11:05:24 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 54709 invoked by uid 500); 5 Oct 2015 11:05:24 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 54698 invoked by uid 99); 5 Oct 2015 11:05:24 -0000
Received: from Unknown (HELO spamd3-us-west.apache.org) (209.188.14.142)
    by apache.org (qpsmtpd/0.29) with ESMTP; Mon, 05 Oct 2015 11:05:24 +0000
Received: from localhost (localhost [127.0.0.1])
	by spamd3-us-west.apache.org (ASF Mail Server at spamd3-us-west.apache.org)
 with ESMTP id CEEF11809BA
	for <users@tomcat.apache.org>; Mon,  5 Oct 2015 11:05:23 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at spamd3-us-west.apache.org
X-Spam-Flag: NO
X-Spam-Score: 2.991
X-Spam-Level: **
X-Spam-Status: No, score=2.991 tagged_above=-999 required=6.31
	tests=[HTML_FONT_LOW_CONTRAST=0.001, HTML_MESSAGE=3,
	RCVD_IN_MSPIKE_H3=-0.01, RCVD_IN_MSPIKE_WL=-0.01, SPF_PASS=-0.001,
	T_REMOTE_IMAGE=0.01, URIBL_BLOCKED=0.001] autolearn=disabled
Received: from mx1-eu-west.apache.org ([10.40.0.8])
	by localhost (spamd3-us-west.apache.org [10.40.0.10]) (amavisd-new,
 port 10024)
	with ESMTP id WG1p3d97FVrx for <users@tomcat.apache.org>;
	Mon,  5 Oct 2015 11:05:13 +0000 (UTC)
Received: from mail-yk0-f174.google.com (mail-yk0-f174.google.com
 [209.85.160.174])
	by mx1-eu-west.apache.org (ASF Mail Server at mx1-eu-west.apache.org) with
 ESMTPS id 182EB201F9
	for <users@tomcat.apache.org>; Mon,  5 Oct 2015 11:05:12 +0000 (UTC)
Received: by ykdz138 with SMTP id z138so166692830ykd.2
        for <users@tomcat.apache.org>; Mon, 05 Oct 2015 04:05:11 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20130820;
        h=x-gm-message-state:mime-version:date:message-id:subject:from:to
         :content-type;
        bh=qvs9NyfKGAGDGGIWB2eO9Bzx4dPD2aVQSBQNGp2FAGU=;
        b=cCfidcwOa2oR4r64xlF1n5ADryoiighel7nn4AXjFOC6dSa6CY9yQPii5BMkPh/svn
         Eq8WDj0rG4LyxGTOdT+HJ7Chs24Y0bSEFUomkj7anJVFiSR7hMGyZMa9vEwFp3Bf+8ij
         lEQB4q3dsBStqzxxdapYgi+hP9clg9Wl9afzUauGtaoDFvlLbCkUsy2EjF+FnxQOncdo
         VqwUrd5zLTBLsT79+NeruxSxY3xuDudI2AjsUOopMb/8tM/i0Eo2QeEDjeCa4AEc9elI
         q/6iSGjMISKVvET0WY3Y7jFdR1nmPW7fPn2l8gy3/fSbdCmIMox/1IwYSb+YbCTRZA0B
         IpaA==
X-Gm-Message-State: 
 ALoCoQnR5ndgEFw/A0aVEkNh91M/YV7Qb47zOyK2/lctCrtMu56/BsRowC4PQfmcVZAZySAzfAv2
MIME-Version: 1.0
X-Received: by 10.170.123.83 with SMTP id p80mr24525132ykb.127.1444043111068;
 Mon, 05 Oct 2015 04:05:11 -0700 (PDT)
Received: by 10.37.208.195 with HTTP; Mon, 5 Oct 2015 04:05:11 -0700 (PDT)
Date: Mon, 5 Oct 2015 13:05:11 +0200
Message-ID: 
 <CAOkgiuNVQH13NNuh9LfH9g0-+mTPL8_GYq8AbF_Jg+5=3bQbkw@mail.gmail.com>
Subject: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
From: Gael Abadin <gael.abadin@imatia.com>
To: users@tomcat.apache.org
Content-Type: multipart/alternative; boundary=001a1137be1cad31d10521597cc5

--001a1137be1cad31d10521597cc5
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

Hello, fellow users.

I've been trying to configure tomcat to request client certificate
authentication on a single page, while serving every other SSL page without
requesting a client certificate (before or after authentication). Depending
on the configuration I use, one of 2 things happen: either I get a request
for a client certificate on ANY HTTPS page I visit first, or I do not get a
request at all, never, even when I launch the browser and go straight to
the protected page (/my-app-name/public/login/login.xhtml).

Am I doing something wrong or is this kind of configuration just not
possible?

Here is my web.xml security constraint and login config (I've also tried
ommitin <login-config>):

  <security-constraint>
    <web-resource-collection>
      <web-resource-name>Protected Context</web-resource-name>
      <url-pattern>/public/login/*</url-pattern>
    </web-resource-collection>
    <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
  </security-constraint>
  <login-config>
    <auth-method>CLIENT-CERT</auth-method>
  </login-config>


And here is my server.xml config (I've also tried clientAuth=3D"false" and
clientAuth=3D"true"):

<?xml version=3D"1.0" encoding=3D"UTF-8"?>
<Server port=3D"8005" shutdown=3D"SHUTDOWN">
  <Listener className=3D"org.apache.catalina.startup.VersionLoggerListener"=
/>

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener SSLEngine=3D"on"
className=3D"org.apache.catalina.core.AprLifecycleListener"/>
  <!--Initialize Jasper prior to webapps are loaded. Documentation at
/docs/jasper-howto.html -->
  <Listener className=3D"org.apache.catalina.core.JasperListener"/>
  <!-- Prevent memory leaks due to use of particular java/javax APIs-->
  <Listener
className=3D"org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
  <Listener
className=3D"org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
  <Listener
className=3D"org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>

  <GlobalNamingResources>
    <Resource auth=3D"Container" description=3D"User database that can be
updated and saved"
factory=3D"org.apache.catalina.users.MemoryUserDatabaseFactory"
name=3D"UserDatabase" pathname=3D"conf/tomcat-users.xml"
type=3D"org.apache.catalina.UserDatabase"/>
  </GlobalNamingResources>

  <Service name=3D"Catalina">

    <Connector connectionTimeout=3D"20000" port=3D"80" protocol=3D"HTTP/1.1=
"
redirectPort=3D"443"/>

    <Connector SSLEnabled=3D"true" clientAuth=3D"want" maxThreads=3D"150"
port=3D"443" protocol=3D"org.apache.coyote.http11.Http11Protocol"
scheme=3D"https" secure=3D"true" sslProtocol=3D"TLS"/>

    <Connector port=3D"8009" protocol=3D"AJP/1.3" redirectPort=3D"443"/>

    <Engine defaultHost=3D"localhost" name=3D"Catalina">
      <Realm className=3D"org.apache.catalina.realm.LockOutRealm">
        <Realm className=3D"org.apache.catalina.realm.UserDatabaseRealm"
resourceName=3D"UserDatabase"/>
      </Realm>
      <Host appBase=3D"webapps" autoDeploy=3D"true" name=3D"localhost"
unpackWARs=3D"true">
        <Valve className=3D"org.apache.catalina.valves.AccessLogValve"
directory=3D"logs" pattern=3D"%h %l %u %t &quot;%r&quot; %s %b"
prefix=3D"localhost_access_log." suffix=3D".txt"/>
        <Context docBase=3D"my-app-name" path=3D"/my-app-name"
reloadable=3D"true" source=3D"org.eclipse.jst.jee.server:cividas-core-web"/=
>
      </Host>
    </Engine>
  </Service>
</Server>

It is my first Tomcat SSL client cert set up so I must be missing
something. Hope you may help me see it :-)

Cheers,

--=20



.

Alberto Gael Abadin Martinez
Junior Developer

[image: IMATIA]

www.imatia.com

*Tel: *+34 986 342 774 ext 4531

*Email: *gael.abadin@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
Espa=C3=B1a

.
<http://www.linkedin.com/company/imatia-innovation>
<http://www.youtube.com/imatiainnovation>

.

Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener informaci=C3=B3n confidencial, siendo para uso exclusivo del
destinatario. Queda prohibida su divulgaci=C3=B3n copia o distribuci=C3=B3n=
 a
terceros sin la autorizaci=C3=B3n expresa del remitente. Si usted ha recibi=
do
este mensaje err=C3=B3neamente, se ruega lo notifique al remitente y proced=
a a
su borrado. Gracias por su colaboraci=C3=B3n.
This message, and in the case of any file annexed to it, can have
confidential information, and it is exclusively for the use of the
addressee of the message. It is strictly forbidden to spread a copy or
distribute to third parties, without the express order of the sender. If
you have received this message mistakenly, we request you to notify to the
sender, and please be sure to erase it. Thank you for your collaboration.

.

--001a1137be1cad31d10521597cc5--