On 06/10/2015 15:46, George Stanchev wrote: > Mark, > > What are the possible issues with renegotiation? We're on NIO connectors, is > there anything known?
NIO should be fine. We've seen odd issues on OSX we haven't been able to track down. Mark > > George > > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, October 05, 2015 8:32 AM > To: Tomcat Users List > Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all > pages > > On 05/10/2015 12:05, Gael Abadin wrote: >> Hello, fellow users. >> >> I've been trying to configure tomcat to request client certificate >> authentication on a single page, while serving every other SSL page >> without requesting a client certificate (before or after >> authentication). Depending on the configuration I use, one of 2 things >> happen: either I get a request for a client certificate on ANY HTTPS >> page I visit first, or I do not get a request at all, never, even when >> I launch the browser and go straight to the protected page >> (/my-app-name/public/login/login.xhtml). >> >> Am I doing something wrong or is this kind of configuration just not >> possible? > > That should be possible but you'll need two security constraints. One to > require TLS everywhere and one for the pages where you require authentication. > > You may also hit issues with which connectors support renegotiation (don't > use APR). > > Mark > >> >> Here is my web.xml security constraint and login config (I've also >> tried ommitin <login-config>): >> >> <security-constraint> >> <web-resource-collection> >> <web-resource-name>Protected Context</web-resource-name> >> <url-pattern>/public/login/*</url-pattern> >> </web-resource-collection> >> <user-data-constraint> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >> </user-data-constraint> >> </security-constraint> >> <login-config> >> <auth-method>CLIENT-CERT</auth-method> >> </login-config> >> >> >> And here is my server.xml config (I've also tried clientAuth="false" >> and >> clientAuth="true"): >> >> <?xml version="1.0" encoding="UTF-8"?> <Server port="8005" >> shutdown="SHUTDOWN"> >> <Listener >> className="org.apache.catalina.startup.VersionLoggerListener"/> >> >> <!--APR library loader. Documentation at /docs/apr.html --> >> <Listener SSLEngine="on" >> className="org.apache.catalina.core.AprLifecycleListener"/> >> <!--Initialize Jasper prior to webapps are loaded. Documentation at >> /docs/jasper-howto.html --> >> <Listener className="org.apache.catalina.core.JasperListener"/> >> <!-- Prevent memory leaks due to use of particular java/javax APIs--> >> <Listener >> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/> >> <Listener >> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/> >> <Listener >> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener" >> /> >> >> <GlobalNamingResources> >> <Resource auth="Container" description="User database that can be >> updated and saved" >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory" >> name="UserDatabase" pathname="conf/tomcat-users.xml" >> type="org.apache.catalina.UserDatabase"/> >> </GlobalNamingResources> >> >> <Service name="Catalina"> >> >> <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1" >> redirectPort="443"/> >> >> <Connector SSLEnabled="true" clientAuth="want" maxThreads="150" >> port="443" protocol="org.apache.coyote.http11.Http11Protocol" >> scheme="https" secure="true" sslProtocol="TLS"/> >> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/> >> >> <Engine defaultHost="localhost" name="Catalina"> >> <Realm className="org.apache.catalina.realm.LockOutRealm"> >> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" >> resourceName="UserDatabase"/> >> </Realm> >> <Host appBase="webapps" autoDeploy="true" name="localhost" >> unpackWARs="true"> >> <Valve className="org.apache.catalina.valves.AccessLogValve" >> directory="logs" pattern="%h %l %u %t "%r" %s %b" >> prefix="localhost_access_log." suffix=".txt"/> >> <Context docBase="my-app-name" path="/my-app-name" >> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/> >> </Host> >> </Engine> >> </Service> >> </Server> >> >> It is my first Tomcat SSL client cert set up so I must be missing >> something. Hope you may help me see it :-) >> >> Cheers, >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org