On 13/02/2012 17:42, Christopher Schultz wrote: > Sanjeev, > > On 2/9/12 11:17 AM, Sanjeev Sharma wrote: >> I work on an java web-app running on Tomcat 7. The entire >> application is required be doing SSL on port 443 (everything is >> accessed via https://). Two different login options are given to >> the user : username/password or client certificate authentication. >> We employ application-managed security as opposed to >> contain-manage (i.e. we don't use realms). I have the following >> connector in my server.xml: > >> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" scheme="https" secure="true" >> keystoreFile="d:\certs\server_cert.jks" keystorePass="changeit" >> truststoreFile="d:\certs\truststore.jks" truststorePass="changeit" >> clientAuth="true" sslProtocol="TLS" /> > > >> This forces mutual authentication on anything I try to access >> using https. How can I configure tomcat so that only specific links >> (a specific struts action for example) would require mutual >> authentication or how can I exclude from the mutual >> authentication. > > I think what you want is clientAuth="want" and then you can maybe > write a Filter that requires certain SSL certificate features in order > to pass-through. Then, just map your Filter to those areas that > require (additional?) SSL authentication.
Is this a variation on the SSLFormFallback thing again? p -- [key:62590808]
signature.asc
Description: OpenPGP digital signature
