> Please don't top post here. Respond below the text to which you are
responding.
It's easier to read that way. See below.
Sorry - it's Google formatting if press "Answer".
> That should be solvable just by the <auth-requirements> of each Context.
I tried google it - but nothing... Can you please give liink to something
about it?
Plus some additional info.
Now - we use configuration via web.xml:
<security-constraint>
<web-resource-collection>
<web-resource-name>*</web-resource-name>
<url-pattern>/sourcename/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>cert</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
<security-role>
<role-name>cert</role-name>
</security-role>
And for ROOT - configuration described in server.xml:
<Context docBase="ROOT" path="">
<Valve className="org.apache.catalina.valves.SomeAuthValve"
FLDAPAppName="SOME"
FLDAPDebug="1"
FLDAPLogin="https://some"; />
</Context>
So task is - create second context for <
url-pattern>/sourcename/*</url-pattern> with
<auth-method>CLIENT-CERT</auth-method> but in Context "terminology".
2014-02-04 André Warnier <[email protected]>:
> Hi.
>
> Please don't top post here. Respond below the text to which you are
> responding.
> It's easier to read that way. See below.
>
>
>
>> 2014-02-04 André Warnier <[email protected]>:
>>
>> Арсений Зинченко wrote:
>>>
>>> Hi.
>>>>
>>>> Task is - have ability to use HTTP/HTTPS without clientAuth for ROOT,
>>>> but
>>>> enable two-factor auth (clientAuth="true" and using trustedstore.jks)
>>>> for
>>>> other Context.
>>>>
>>>> Can somebody please any tips?
>>>>
>>>>
>>>> I don't know much about SSL, but isn't the answer right here ?
>>>
>>> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>>
>>> clientAuth
>>>
>>> Set to true if you want the SSL stack to require a valid certificate
>>> chain
>>> from the client before accepting a connection. Set to want if you want
>>> the
>>> SSL stack to request a client Certificate, but not fail if one isn't
>>> presented. A false value (which is the default) will not require a
>>> certificate chain unless the client requests a resource protected by a
>>> security constraint that uses CLIENT-CERT authentication.
>>>
>>> If I understand the above correctly, then setting clientAuth="false" in
>>> the Connector, and then requesting a CLIENT-CERT authentication only in
>>> your "other Context", should do the trick, no ?
>>>
>>>
>>>
> Арсений Зинченко wrote:
> > Yes, this is exactly what I'm want and I see this manual to.
> > But - how to specify different clientAuth= for different Context's ? I
> > found "SSL Authenticator
> > Valve<http://tomcat.apache.org/tomcat-7.0-doc/config/
> valve.html#SSL_Authenticator_Valve>"
>
> > - but there is nohting about how to do it... And I don't see any
> > possibility to make with any other Context
> > options<http://tomcat.apache.org/tomcat-7.0-doc/config/
> context.html#Context_Parameters>...
> >
> >
> Sorry, as I mentioned earlier, I do not know much about SSL and cannot
> help you with the details.
>
> One thing though : the setup of an SSL connection happens *before* Tomcat
> even knows to which application the browser wants to talk. Some properties
> of that connection may not be changeable anymore, at the level of a Context.
> You can just tell the Context to make use or not of some of these
> properties, not really change them.
>
> In your case though, it seems that you want the following :
> - clients connect via SSL
> - some Context's then (later) require clientAuth
> - and some other Context's (later) do not require clientAuth
> That should be solvable just by the <auth-requirements> of each Context.
>
> If you want some Context's to be accessible via HTTP/HTTPS, and others
> only via HTTPS, that also is a parameter that you can specify in each
> context's web.xml.
> (<transport-guarantee> or something like that)
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [email protected]
> For additional commands, e-mail: [email protected]
>
>
