Hi everybody,
I am trying to configure Apache Tomcat in https mode with two types of
resources:
1. Unprotected resources anryone can visit
2. Proteceted resources, where the client have to authenticate with a
certificate (issued by a known Certification Authohrity).
The problem is that till now I have just been able to protect all the resources
or none of them.
The only way I found to have both protected and unprotected resources is using
realm authentication [1]:
To specify a requirement that protected resources be received over a protected
transport layer connection (SSL), specify a user data constraint in the
application deployment descriptor. The following is an example of a web.xml
application deployment descriptor that specifies that SSL be used:
<security-constraint>
<web-resource-collection>
<web-resource-name>view dept data</web-resource-name>
<url-pattern>/hr/employee/*</url-pattern>
<http-method>GET</http-method>
<http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
<role-name>DEPT_ADMIN</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
And defining in the tomcat-users.xml (or another resource if any other standard
realm implementation is used) the users that play the DEPT_ADMIN role.
The problem is I don't know previously the owner of the certificate to include
it in the realm configuration. The application should allow the access to any
user who present a valid certificate issued by a previously known CA.
I've found a reported bug from two months ago [2], but it's reported as closed
now.
My configuration is:
Win XP SP3
Apache Tomcat 6.0
Java 1.5
I'll really appreciate if anyone can help me out.
Thanks in advance, Manuel
[1] http://java.sun.com/javaee/5/docs/tutorial/doc/bnbxw.html
[2] https://issues.apache.org/bugzilla/show_bug.cgi?id=46498
