Hi, We are using tomcat version 7.0.11
Here are the changes we made in server.xml: <Connector SSLEnabled="true" clientAuth="true" keyAlias="tomcat" keyPass="xyz" keystoreFile="C:/Users/keystorepath/key.keystore" maxThreads="150" port="8443" protocol="org.apache.coyote.http11.Http11Protocol" scheme="https" secure="true" sslProtocol="TLS" trustMaxCertLength="10" truststoreFile="C:/Users/trustorepath/truststore.keystore" truststorePass="abc"/> here is my tomcat-users.xml <tomcat-users> <role rolename="manager"/> <role rolename="admin"/> <role rolename="developer"/> <role rolename="manager-gui"/> <role rolename="webservice"/> <user username="admin" password="folsom!1" roles="admin,manager,manager-gui" /> <user username="developer" password="folsom" roles="manager,manager-gui" /> <user username="EMAILADDRESS=a...@xyz.com, CN=certauth, OU=OU1, O=XYZ, L=ABC, ST=CA, C=US" password="" roles="webservice,admin,manager,manager-gui"/> </tomcat-users> I have changed the web.xml of my web services to refer to the role configured in the tomcat-users.xml. Here is the web.xml: <security-constraint> <display-name>ClientCertificateRequired</display-name> <web-resource-collection> <web-resource-name>MyWebService</web-resource-name> <description></description> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <description></description> <role-name>webservice</role-name> </auth-constraint> <user-data-constraint> <description></description> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> <realm-name>tomcat-users</realm-name> </login-config> <security-role> <description></description> <role-name>webservice</role-name> </security-role> In other web applications, I didnt make any changes in the web.xml of those apps. Regards, Savitha On Thu, Dec 8, 2011 at 9:43 AM, Daniel Mikusa <dmik...@vmware.com> wrote: > On Thu, 2011-12-08 at 08:49 -0800, Savitha Akella wrote: > > Hi, > > > > I have multiple applications hosted on my tomcat server which includes > web > > services, web applications etc. > > > > To secure the web services, we made changes to server.xml ->connector > > What specifically did you change in server.xml? > > Please also list your connector configuration and what version of Tomcat > you are using. > > Dan > > > element and defined roles in tomcat-users.xml. > > In the web services, we made changes in the web.xml to add the > > security-constraint, security-role etc. > > > > However, the problem we are facing is that all the web application hosted > > on the Tomcat are prompting for certificate while accessing them. > > > > Is there any way to restrict the security only to a single web component > on > > the Tomcat server rather than the entire server or all applications on > the > > server. > > > > Thanks, > > Savitha >
