I am trying to setup Tomcat (8.5.28) and the web-app correctly in order to get 
the mutual authentication (using client certificates) done but only for some 
recourses and not all.

For instance, I have a “authenticate” API for which I want to enable the client 
certificate authentication.  So, I want only a “/authenticate” URL to ask for a 
client certificate from the browser.

I want to first validate if this client certificate is issued by a trusted CA. 
If yes, accept the request and invoke the “/authenticate” business logic which 
further validates the certificate/user against our own user database.

Looking at Tomcat documentation “clientAuth=want” in server.xml seemed a 
potential option but the issue with that is when this results in asking for 
user certificate for all the URLs being invoked from the Browser (unless we 
tell Browser to remember the decision). Also, this approach results in 
renegotiation for every request.

This is when I came across, “CLIENT-CERT” alternate, which can be configured 
only for certain URL (e.g. “/authenticate” in my case). However, I am not able 
to get it configured as expected. I issued a client certificate and imported in 
browser but still unable to get the browser pop-up which asks for the 
certificate to be sent. Debugging SSL level did not yield much.


This is the link that closely matches the requirement and I saw Chris’ input 
there. However,

“Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    resourceName="UserDatabase" />
In server.xml




    <web-resource-name>My Secure Area</web-resource-name>










In my web app’s web.xml.

When I access the URL from browser, I expected to see a dialog asking for 
client-certificate and then a successful invocation of the “/authenticate”. 
However, from browser, I don’t get a pop-up and I get a HTTP 401 with below 

Message Cannot authenticate with the provided credentials

Description The request has not been applied because it lacks valid 
authentication credentials for the target resource.

Appreciate your help on this.


Reply via email to