You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Shuwen <we...@yahoo.com> on 2007/09/12 22:19:32 UTC

tomcat ssl client authentication

Hi,
     I would like to find out how to configure client authentication when enabling tomcat to run on https.  From http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html, it says that 
   
  *******************
   For using clientAuth on a per-user or per-session basis, check out the tips in Bugzilla 34643. 
  ******************
  Does it mean that if I would like to configure client authentication, I need to patch the .java file on
  http://issues.apache.org/bugzilla/show_bug.cgi?id=34643?
   
     I have found various sources on internet regarding the issue.  Can anyone recommend a reliable way or point me to the reference for configuring client authentication? 
   
   
   
  Thanks a lot in advance,
   
  Shuwen

       
---------------------------------
Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user panel and lay it on us.

Re: tomcat ssl client authentication

Posted by Bill Barker <wb...@wilshire.com>.

"Shuwen" <we...@yahoo.com> wrote in message 
news:303044.1576.qm@web50412.mail.re2.yahoo.com...
> Hi,
>     I would like to find out how to configure client authentication when 
> enabling tomcat to run on https.  From 
> http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html, it says that
>
>  *******************
>   For using clientAuth on a per-user or per-session basis, check out the 
> tips in Bugzilla 34643.
>  ******************
>  Does it mean that if I would like to configure client authentication, I 
> need to patch the .java file on
>  http://issues.apache.org/bugzilla/show_bug.cgi?id=34643?
>

This is mostly about "advanced topics" (e.g. adding users on the fly, 
allowing the webapp to validate the cert).  Most people get by with putting:
    <login-config>
        <auth-method>CLIENT-CERT</auth-method>
    </login-config>
in their web.xml file, and configuring the truststore* attributes on the 
<Connector /> in server.xml.

Note, if you apply the patch in 34643, then you are requiring your webapp to 
autherise access to resources based on the client cert.


>     I have found various sources on internet regarding the issue.  Can 
> anyone recommend a reliable way or point me to the reference for 
> configuring client authentication?
>
>



>
>  Thanks a lot in advance,
>
>  Shuwen
>
>
> ---------------------------------
> Fussy? Opinionated? Impossible to please? Perfect.  Join Yahoo!'s user 
> panel and lay it on us. 




---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org