tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From George Stanchev <>
Subject client cert authentication
Date Fri, 04 May 2018 18:41:24 GMT
I guess I am looking for some pointers how to approach a certain scenario from "the right way"
of implementing it. Say you have a standard login form with user/pass edits and "Login" and
"Smartcard" buttons. The "Login" button does Its obvious thing. The "Smartcard" button authenticates
the user using client cert SSL. The actual certificate validation happens way downstream of
the login page controller so all it needs to do is to extract it from the request and pass
it on to the backend. The login page can be served either over http or https. The way currently
is implemented, is for the "Smartcard" for the servlet to detect that the "Smartcard" has
been pressed and to 302 to a specially designated https connector that has "clientAuth="true"+"trustManagerClassName=...
AnyCertX509TrustManager" attributes that handle the client cert authentication. I suspect
though that this is a hack, and there could be a more clever way to handle this with either
forwarding or somehow manually upgrading the connection from HTTP to HTTPS/clientAuth or HTTPS
to HTTPS/clientAuth to challenge for a client certificate. I'd like to eliminate the 302 and
the maintenance of a separate connector. Some pointers/advice would be appreciated...

  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message