Hi, I want to use client-certificate authentication in our webapplication. There are two things that I really don't understand:
First: Why is it necessary to set clientAuth = true in the Factory-tag when configuring a Connector for SSL in server.xml, when only a certain part of the application should be protected for unauthorized access. It seems to me that this flag only should indicate whether mutual authentication (server and client authentication) should occur during the SSL-handshake or not. Consider the situation that I set this flag to false and setting a security role constraint for a certain servlet whith authentication method CLIENT-CERT. I would then expect that Tomcat asks the webbrowser to present the client certificate (and bind it as a attribute to the request object) the moment I try to to connect to this protected servlet. Instead I get the error No certificate chain found in this request. The only possible moment to authenticate a user is during the mutual authentication (i.e. setting the clientAuth flag to yes) when the user is connected to the application for the first time . I think this not conforms to any of Sun's servlet specifications. Is this really a restriction to Tomcat or not? Second: When I set a security role constraint for a servlet with CLIENT-CERT as a authentication method, Tomcat forces me to put a CONFIDENTIAL transport garantee constraint for this servlet in web.xml. Although I understand that for the client certificate authentication process a SSL connection is used, I don't understand why the access to the servlet itself also must occur over a SSL-connection. I only want the CLIENT-CERT as a secure authenticating mechanism, but I do'nt always want a confidential transport (which puts a heavy load on the overall performance of my webapplication). Is this also a restriction to Tomcat? If not, what should I do to accomplish this? Thanks in advance, Ron Blom
