Am 2020-02-29 um 10:09 schrieb Thomas Meyer:
Am 27. Februar 2020 10:58:01 MEZ schrieb "Martynas Jusevičius"
<marty...@atomgraph.com>:
Hi list,
I'm using a Docker image based on tomcat:8.0-jre8. It serves as an
end-user facing webapp but also as a REST API which authenticates
using client certificates. The same URLs serve both purposes, however
only administrators are using the API.
The Connector is configured using clientAuth="want".
This works fine with API calls which are run from shell scripts.
In the browser however it prompts a certificate selection (if there
are any client certs). This would not be a problem if the webapp would
not be user-facing, but since it is the certificate prompt can be
confusing to many users and increase our bounce rate.
I'm looking for some workaround that would not require changing the
whole design. For example asking for the client cert only when a
certain flag is set, such as a query param or request header.
Or somehow not asking for it but still accepting it :) But I guess
that's not how TLS works...
Any ideas? Thanks.
Martynas
atomgraph.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Hi,
Instead of configuring the container for client cert Auth change the webapp:
1) define a realm in local context.xml
2) add resp security constraint only for rest api calls
This will not help. You cannot configure cert-based auth from the
context.xml. Tomcat does not support renegotiation of TLS contexts based
on URLs like HTTPd.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
