The clientAuth attribute of the connector has to be set to true. Then you will need a client cert to access resources under /html/*, but not other pages. See the Tomcat SSL guide on how to create the client cert.
ND -----Original Message----- From: Markus [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 01, 2006 9:22 AM To: Tomcat Users List Subject: Re: Tomcat and client certificates Setting clientAuth to true / false in the Connector configuration works fine, but how do I configure client authenticaton on a per-directory or even per-servlet basis? This is my current configuration: In server.xml: <Connector port="8443" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystoreFile="\...\keystore.jks" keystorePass="wonttell" truststoreFile="\...\truststore.jks" truststorePass="wonttell" /> In web.xml: <security-constraint> <web-resource-collection> <url-pattern>/html/*</url-pattern> </web-resource-collection> <auth-constraint/> <user-data-constraint/> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> And here are the results I get: https://domain/anypage : OK https://domain/html/anypage : HTTP Status 403 - Access to the requested resource has been denied The logfile says: 01.02.2006 15:19:57 org.apache.coyote.http11.Http11Processor action WARNING: Exception getting SSL Cert java.net.SocketException: Socket Closed What's wrong with my configuration? Markus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]