> Please don't top post here. Respond below the text to which you are responding. It's easier to read that way. See below.
Sorry - it's Google formatting if press "Answer". > That should be solvable just by the <auth-requirements> of each Context. I tried google it - but nothing... Can you please give liink to something about it? Plus some additional info. Now - we use configuration via web.xml: <security-constraint> <web-resource-collection> <web-resource-name>*</web-resource-name> <url-pattern>/sourcename/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>cert</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> <security-role> <role-name>cert</role-name> </security-role> And for ROOT - configuration described in server.xml: <Context docBase="ROOT" path=""> <Valve className="org.apache.catalina.valves.SomeAuthValve" FLDAPAppName="SOME" FLDAPDebug="1" FLDAPLogin="https://some" /> </Context> So task is - create second context for < url-pattern>/sourcename/*</url-pattern> with <auth-method>CLIENT-CERT</auth-method> but in Context "terminology". 2014-02-04 André Warnier <a...@ice-sa.com>: > Hi. > > Please don't top post here. Respond below the text to which you are > responding. > It's easier to read that way. See below. > > > >> 2014-02-04 André Warnier <a...@ice-sa.com>: >> >> Арсений Зинченко wrote: >>> >>> Hi. >>>> >>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT, >>>> but >>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks) >>>> for >>>> other Context. >>>> >>>> Can somebody please any tips? >>>> >>>> >>>> I don't know much about SSL, but isn't the answer right here ? >>> >>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support >>> >>> clientAuth >>> >>> Set to true if you want the SSL stack to require a valid certificate >>> chain >>> from the client before accepting a connection. Set to want if you want >>> the >>> SSL stack to request a client Certificate, but not fail if one isn't >>> presented. A false value (which is the default) will not require a >>> certificate chain unless the client requests a resource protected by a >>> security constraint that uses CLIENT-CERT authentication. >>> >>> If I understand the above correctly, then setting clientAuth="false" in >>> the Connector, and then requesting a CLIENT-CERT authentication only in >>> your "other Context", should do the trick, no ? >>> >>> >>> > Арсений Зинченко wrote: > > Yes, this is exactly what I'm want and I see this manual to. > > But - how to specify different clientAuth= for different Context's ? I > > found "SSL Authenticator > > Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/ > valve.html#SSL_Authenticator_Valve>" > > > - but there is nohting about how to do it... And I don't see any > > possibility to make with any other Context > > options<http://tomcat.apache.org/tomcat-7.0-doc/config/ > context.html#Context_Parameters>... > > > > > Sorry, as I mentioned earlier, I do not know much about SSL and cannot > help you with the details. > > One thing though : the setup of an SSL connection happens *before* Tomcat > even knows to which application the browser wants to talk. Some properties > of that connection may not be changeable anymore, at the level of a Context. > You can just tell the Context to make use or not of some of these > properties, not really change them. > > In your case though, it seems that you want the following : > - clients connect via SSL > - some Context's then (later) require clientAuth > - and some other Context's (later) do not require clientAuth > That should be solvable just by the <auth-requirements> of each Context. > > If you want some Context's to be accessible via HTTP/HTTPS, and others > only via HTTPS, that also is a parameter that you can specify in each > context's web.xml. > (<transport-guarantee> or something like that) > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >