I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get the mutual authentication (using client certificates) done but only for some recourses and not all.
For instance, I have a “authenticate” API for which I want to enable the client certificate authentication. So, I want only a “/authenticate” URL to ask for a client certificate from the browser. I want to first validate if this client certificate is issued by a trusted CA. If yes, accept the request and invoke the “/authenticate” business logic which further validates the certificate/user against our own user database. Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a potential option but the issue with that is when this results in asking for user certificate for all the URLs being invoked from the Browser (unless we tell Browser to remember the decision). Also, this approach results in renegotiation for every request. This is when I came across, “CLIENT-CERT” alternate, which can be configured only for certain URL (e.g. “/authenticate” in my case). However, I am not able to get it configured as expected. I issued a client certificate and imported in browser but still unable to get the browser pop-up which asks for the certificate to be sent. Debugging SSL level did not yield much. https://stackoverflow.com/questions/41438536/protecting-webresource-in-tomcat-8-5-with-client-cert This is the link that closely matches the requirement and I saw Chris’ input there. However, “Realm className="org.apache.catalina.realm.UserDatabaseRealm" allRolesMode="authOnly" resourceName="UserDatabase" /> “ In server.xml And <security-constraint> <web-resource-collection> <web-resource-name>My Secure Area</web-resource-name> <url-pattern>/authenticate</url-pattern> </web-resource-collection> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> <auth-constraint> <role-name>*</role-name> </auth-constraint> </security-constraint> In my web app’s web.xml. When I access the URL from browser, I expected to see a dialog asking for client-certificate and then a successful invocation of the “/authenticate”. However, from browser, I don’t get a pop-up and I get a HTTP 401 with below message. Message Cannot authenticate with the provided credentials Description The request has not been applied because it lacks valid authentication credentials for the target resource. Appreciate your help on this. Thanks, Amit