I would like my Tomcat instance to authenticate different roles differently. E.g., admins must use SSL client auth, while regular users use HTTP basic authentication over SSL. This seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).
I have a workaround -- use an Apache reverse proxy for authentication. The disadvantages are that Tomcat roles are unavailable, and admin users and regular users connect to the same resource with different URLs. The ideal solution would be to use SSL with selectable client authentication. In this mode, HTTP basic authentication would be skipped if the client had already presented a valid SSL client certificate. Can Tomcat be made to do this? --Steve --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org