"Mahesh S Kudva" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> Hi All
>
> Thanks for the note. May be I was not clear in my earlier mail.
>
>
> I have client authentication using certificates. I want to skip client
> auth for certain hosted applications on the server but preserve client
> auth for other apps.
>
On the Connector leave the 'clientAuth' attribute as 'false' (or use
'want', if you really want to be annoying :). Then in the webapps that care
setup your web.xml files with something like:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
In this case, any page protected by a <security-constraint> will force the
user to send a client-cert. Unfortunately, most of the production-quality
Realms that ship with Tomcat don't support CLIENT-CERT auth.
For 4.1.x <= tcversion <= 5.0.x, there is also a request attribute that you
can use to do the same thing. If you need it, search the archives.
> Regards & Thanks
> ================
> Mahesh S Kudva
>
>
> -----Original Message-----
> From: Paul Singleton <[EMAIL PROTECTED]>
> To: Tomcat Users List <tomcat-user@jakarta.apache.org>
> Date: Fri, 01 Jul 2005 15:32:12 +0100
> Subject: Re: Certificate Authentication for individual apps
>
>> Mahesh S Kudva wrote:
>>
>> > How can I have different certificate authentication for different
>> applications and skip certificate
>> > authentication for some applications hosted on the same server.
>>
>> I believe that, at least under SSL, certificates authenticate
>> *servers* not applications, and that the Connector offers a
>> certificate before it checks, or regardless of, the context
>> path within that server.
>>
>> So you need to deploy each app at a different (virtual) host,
>> each with a different IP address. We do this currently with
>> 5.5.9. You can use the default keystore for all hosts, and
>> use the (undocumented) keyAlias="myalias" Connector attribute
>> to offer the appropriate certificate for each host, e.g.
>>
>> <Connector
>> address="288.104.197.211"
>> port="8443"
>> scheme="https"
>> secure="true"
>> sslProtocol="TLS"
>> keyAlias="mrk2"
>> />
>>
>> (in 5.5.9 you also need sslProtocol="TLS" explicitly)
>>
>> Paul Singleton
>>
>>
>> --
>> No virus found in this outgoing message.
>> Checked by AVG Anti-Virus.
>> Version: 7.0.323 / Virus Database: 267.8.8/35 - Release Date:
>> 30/Jun/2005
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
> -------------------------------------------------------
> Robosoft Technologies - Partners in Product Development
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
