Dear Wiki user, You have subscribed to a wiki page or wiki category on "Tomcat Wiki" for change notification.
The "SSLWithFORMFallback" page has been changed by KonstantinKolinko. The comment on this change is: Added CategoryFAQ link, Added links to two related pages.. http://wiki.apache.org/tomcat/SSLWithFORMFallback?action=diff&rev1=11&rev2=12 -------------------------------------------------- Note: Tested with Tomcat 5.5.17, 5.5.20 and 5.5.25 + See also: + + * [[SSLWithFormFallback6]] + * [[SSLWithFormFallbackAuthenticator]] + - SSL Client Authentication (sometimes also known as "Client Certificate" authentication) uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is accomlished by configuring SSL in Tomcat, and then configuring the Web Application's security descriptor to use "CLIENT-CERT" as the auth-method in the login-config section. + SSL Client Authentication (sometimes also known as "Client Certificate" authentication) uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is accomplished by configuring SSL in Tomcat, and then configuring the Web Application's security descriptor to use "CLIENT-CERT" as the auth-method in the login-config section. We found that we wanted to implement 2 levels of security - client authentication based on SSL certificates for serious security, but FORM based login as a fallback option. This requirement can exist for a number of reasons: @@ -15, +20 @@ * to allow different "user-levels" - high security vs. low security, with different functions available * etc... - In trying to implement this, we found the only "standard conformant" solution was to install the web application multiple times with different authentication configurations. This solution was very unsatisfactory for us, as it leads to a duplication of services, and the serives are accessible under different URLs/Ports depending on the desired security level. That just wasn't what we wanted. + In trying to implement this, we found the only "standard conformant" solution was to install the web application multiple times with different authentication configurations. This solution was very unsatisfactory for us, as it leads to a duplication of services, and the services are accessible under different URLs/Ports depending on the desired security level. That just wasn't what we wanted. So the following solution, unfortunately, is not standards-conformant. This is because the J2EE standard, while deferring authentication to the container, specifies the authentication method in the webapplication deployment descriptor (web.xml). There, only one login-config section is allowed, which counts for the whole application. It does not permit you to configure a fallback login method. @@ -150, +155 @@ Should you have questions about the code, please feel free to contact me (the Author) at: runger --AT-- aon.at + ---- + [[CategoryFAQ]] + --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
