Client-cert authentication across web-applications

[rnilsen <rn...@sfjbb.net>]

Hi,
I have been thinking about replacing the legacy username/password system
used today in my web-applications to use autentication with personal
certificates via client-cert authentication. The problem is that I need to
run multiple instances of the same web-application with different users in
each instance. The way it is done now is thru a legacy system checking the
database if username/password match, then generating a session - which
should still be possible if the webapp is not set up to use client-cert
authentication. 

The examples I see are all based on usernames and password (depending on
authenticaiton) placed in a spesific tomcat file - and I can't do that, it
needs to be put into the legacy database for the spesific instance. The plan
is to have the user, when entering without a personal certificate, just
enter his/her e-mail address in a field, then posted to a servlet residing
in the spesific web-application which then produces and e-mail with an url
and a random confirmation key. When the user clicks this url, he/she will
get the certificate request produced by a servlet which the browser will ask
the user to accept.

So, is it possible to a) have autentication split on each web-app and b)
have the user authentication be base on a legacy system thru e.g. a class in
the web-application itself?
--
View this message in context: http://www.nabble.com/Client-cert-authentication-across-web-applications-t1600820.html#a4340834
Sent from the Tomcat - User forum at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org