You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Steve Mitchell <mi...@intertrust.com> on 2010/12/17 01:36:21 UTC
Authentication and roles (RFE)
I would like my Tomcat instance to authenticate different roles differently. E.g., admins must use SSL client auth, while regular users use HTTP basic authentication over SSL. This seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).
I have a workaround -- use an Apache reverse proxy for authentication. The disadvantages are that Tomcat roles are unavailable, and admin users and regular users connect to the same resource with different URLs.
The ideal solution would be to use SSL with selectable client authentication. In this mode, HTTP basic authentication would be skipped if the client had already presented a valid SSL client certificate. Can Tomcat be made to do this?
--Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and roles (RFE)
Posted by Pid <pi...@pidster.com>.
On 17/12/2010 08:27, Mark Thomas wrote:
> On 17/12/2010 07:36, Pid * wrote:
>> On 17 Dec 2010, at 00:37, Steve Mitchell <mi...@intertrust.com> wrote:
>>
>>> I would like my Tomcat instance to authenticate different roles differently. E.g., admins must use SSL client auth, while regular users use HTTP basic authentication over SSL. This seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).
>>
>> Look at the MultiRealm in the docs/svn.
>
> Multiple Realms won't help. What is required is multiple authenticators
> which isn't supported.
Ah, yes. Doh.
p
> Mark
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: Authentication and roles (RFE)
Posted by Mark Thomas <ma...@apache.org>.
On 17/12/2010 07:36, Pid * wrote:
> On 17 Dec 2010, at 00:37, Steve Mitchell <mi...@intertrust.com> wrote:
>
>> I would like my Tomcat instance to authenticate different roles differently. E.g., admins must use SSL client auth, while regular users use HTTP basic authentication over SSL. This seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).
>
> Look at the MultiRealm in the docs/svn.
Multiple Realms won't help. What is required is multiple authenticators
which isn't supported.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Authentication and roles (RFE)
Posted by Pid * <pi...@pidster.com>.
On 17 Dec 2010, at 00:37, Steve Mitchell <mi...@intertrust.com> wrote:
> I would like my Tomcat instance to authenticate different roles differently. E.g., admins must use SSL client auth, while regular users use HTTP basic authentication over SSL. This seems like a routine requirement, but it's unsupported in Tomcat 6 (or 7).
Look at the MultiRealm in the docs/svn.
p
>
> I have a workaround -- use an Apache reverse proxy for authentication. The disadvantages are that Tomcat roles are unavailable, and admin users and regular users connect to the same resource with different URLs.
>
> The ideal solution would be to use SSL with selectable client authentication. In this mode, HTTP basic authentication would be skipped if the client had already presented a valid SSL client certificate. Can Tomcat be made to do this?
>
> --Steve
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org