On 01/10/14 18:08, Christopher Schultz wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Nathan, > > On 10/1/14 10:02 AM, Nathan Quirynen wrote: >> Hi Tomcat users, >> >> A current application has client authentication configured in the >> SSL Connector (server.xml): >> >> <Connector port="8443" ... clientAuth="true" >> keystoreFile=".keystore" keystorePass="..." >> truststoreFile=".truststore" truststorePass="..." /> >> >> And the CA root certificates have been added to the truststore. >> >> This way it asks for a client certificate in any case, which works >> and is fine for this application. For a new application the use >> case is a bit different. I only need client authentication for a >> specific defined path (for example: /secured/*). After some >> research I found this was possible with defining this on >> application level in the web.xml file. So I changed my >> configuration to: >> >> server.xml: >> >> <Connector port="8443" ... clientAuth="false" >> keystoreFile=".keystore" keystorePass="..." >> truststoreFile=".truststore" truststorePass="..." /> >> >> web.xml: >> >> <security-constraint> <web-resource-collection> >> <web-resource-name>Secureconn</web-resource-name> >> <url-pattern>/secured/*</url-pattern> >> <http-method>GET</http-method> </web-resource-collection> >> <auth-constraint> <role-name>secureconn</role-name> >> </auth-constraint> </security-constraint> <login-config> >> <auth-method>CLIENT-CERT</auth-method> >> <realm-name>Secureconn</realm-name> </login-config> >> <security-role> <role-name>secureconn</role-name> </security-role> >> >> >> In this case it actually only asks for client authentication when >> going to for example "secured/home" page. But I'm getting a 401 >> message code. >> >> What am I missing to get people authenticated based on the CA root >> certificates that are in the configured truststore? Is it even >> possible what I am trying? > What happens if you change clientAuth="false" to clientAuth="want"? > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJULCbgAAoJEBzwKT+lPKRYOBEQAKiq+0JvnpI4nAXDb7L0YzHR > BjISQH6yWa8sURbDfxUMdNdOdbYDc0J3RLvakz4IKFQjKIoRnR6gC6OdTS27sfrt > iMvi/NDb3wqGkl/aPfQa98zgvasKTzsj01yWLATwxfH66Sb3w1NKTnxs7BiQim2m > f5EfxdPS5h7FZekhSQyh4KXTejJ6XYRRgmTKeP2V9ARlJBjpyeVkM/C1pUfgEhD+ > wvsSsBplF4g+Loo4saN4Ap1UcxGsjEnkW8lPpgo9Ax0J/jT3nmieK2ZryG6coDY9 > 6OhYxBz5CLcwrYPMQvlTb9rVMMzNt2g8bbSY0lI1HQGfJaOROIfASkpOqXM1p//c > XXPj8OEFrpJMn1L8IN/GX7HJruCxyLU0oo3qFZNNjQp15zzK5eAJgtONJON+ke9G > Lv17PbyHEW5NecnFDwvg4sJPy4RHzBLWgwmvYmqMknySjtEj58SB9M4U9Xyrlwoe > XsaG9r1OaOlNb249+hRBCzbTZcsn3IP/dgKsWXmsbfvfdOuRsuGbPHXG9AXe7T9S > J+GD23SPTPHFHzEdqEYQ0RxPhQomzt4jfvbrmvKxxVLe+oi2JqHMwpoNSOxHBBD9 > GDzX9PZimKv3Sh1bs8QzDCWAYLURxyrirjqcqyVqUEi0QYI+7rXk+TldR/bKNJ5H > /6BMe3EQMH3NySBGeClG > =eSSR > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Hey Chris, If I change it to want I still get the same error: HTTP Status 401 - Cannot authenticate with the provided credentials