<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi, > > I want to use client-certificate authentication in our webapplication. > There are two things that I really don't understand: > > First: > > Why is it necessary to set clientAuth = true in the Factory-tag when > configuring a Connector for SSL in server.xml, when only a certain part of > the application should be protected for unauthorized access. It seems to > me that this flag only should indicate whether mutual authentication > (server and client authentication) should occur during the SSL-handshake > or not. Consider the situation that I set this flag to false and setting a > security role constraint for a certain servlet whith authentication method > CLIENT-CERT. I would then expect that Tomcat asks the webbrowser to > present the client certificate (and bind it as a attribute to the request > object) the moment I try to to connect to this protected servlet. Instead > I get the error No certificate chain found in this request. > The only possible moment to authenticate a user is during the mutual > authentication (i.e. setting the clientAuth flag to yes) when the user is > connected to the application for the first time . I think this not > conforms to any of Sun's servlet specifications. Is this really a > restriction to Tomcat or not? >
It's not necessary to specify clientAuth="true" if you have configured your app to use CLIENT-CERT. Tomcat will do exactly what you expect it to do with clientAuth="false", provided that your client is new enough to support SSL renegotiation. > Second: > > When I set a security role constraint for a servlet with CLIENT-CERT as a > authentication method, Tomcat forces me to put a CONFIDENTIAL transport > garantee constraint for this servlet in web.xml. Although I understand > that for the client certificate authentication process a SSL connection is > used, I don't understand why the access to the servlet itself also must > occur over a SSL-connection. I only want the CLIENT-CERT as a secure > authenticating mechanism, but I do'nt always want a confidential transport > (which puts a heavy load on the overall performance of my webapplication). > Is this also a restriction to Tomcat? If not, what should I do to > accomplish this? > This is a restriction of the protocol. CLIENT-CERT auth works like Basic: The browser send the credentials each time it connects. The only way it can do this is if it is using a SSL-connection. If it dropped the SSL-connection, and switched to a HTTP-connection, Tomcat would have no way of knowing who the client is. > Thanks in advance, > > Ron Blom > > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
