-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Nathan,
On 10/1/14 10:02 AM, Nathan Quirynen wrote: > Hi Tomcat users, > > A current application has client authentication configured in the > SSL Connector (server.xml): > > <Connector port="8443" ... clientAuth="true" > keystoreFile=".keystore" keystorePass="..." > truststoreFile=".truststore" truststorePass="..." /> > > And the CA root certificates have been added to the truststore. > > This way it asks for a client certificate in any case, which works > and is fine for this application. For a new application the use > case is a bit different. I only need client authentication for a > specific defined path (for example: /secured/*). After some > research I found this was possible with defining this on > application level in the web.xml file. So I changed my > configuration to: > > server.xml: > > <Connector port="8443" ... clientAuth="false" > keystoreFile=".keystore" keystorePass="..." > truststoreFile=".truststore" truststorePass="..." /> > > web.xml: > > <security-constraint> <web-resource-collection> > <web-resource-name>Secureconn</web-resource-name> > <url-pattern>/secured/*</url-pattern> > <http-method>GET</http-method> </web-resource-collection> > <auth-constraint> <role-name>secureconn</role-name> > </auth-constraint> </security-constraint> <login-config> > <auth-method>CLIENT-CERT</auth-method> > <realm-name>Secureconn</realm-name> </login-config> > <security-role> <role-name>secureconn</role-name> </security-role> > > > In this case it actually only asks for client authentication when > going to for example "secured/home" page. But I'm getting a 401 > message code. > > What am I missing to get people authenticated based on the CA root > certificates that are in the configured truststore? Is it even > possible what I am trying? What happens if you change clientAuth="false" to clientAuth="want"? - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+ wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9 GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H /6BMe3EQMH3NySBGeClG =eSSR -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org