You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Leandro Pfleger de Aguiar <le...@bry.com.br> on 2006/09/11 21:33:21 UTC

BASIC + CLIENT-CERT authentication

Hi

    I know that Servlet specification 2.4 present four maners to authenticate users (in a CMS way to do this): basic, digest, form or client-cert. What i need is to provide a way to authenticate users by passwords or client certificates at the same time. If a user has a certificate he can use it, but if dont have, he can login with login/password too. 
    The web.xml DTD, however, accept only one entry to login-config tag. A possible way to do this is to configure tomcat´s server.xml to ask for client certificates aways (clientAuth="want") and so, programmatically recover certificate used. If this value is null them show the login form with response.setStatus(response.SC_UNAUTHORIZED); and response.setHeader("WWW-Authenticate", "BASIC realm=\"privileged-few\"");

Works ?

Tanks !


Leandro P.