0 Replies Latest reply on Mar 20, 2013 6:29 PM by jbosss

    How to exclude certain URLs from client-auth?

    jbosss
    jbosss Mar 20, 2013 6:29 PM

      Hi,

       

      I have succesfully setup client-auth for JBoss AS 7.1.1.Final. However once setup, it tries to do client-auth for every URL in the application. I need it to not do client-auth for certain URLs like the login and the logout page. Is there a way I can exclude some URLs? This is my https connector with the ssl element

       

                  <connector name="https" protocol="HTTP/1.1" scheme="https" socket-binding="https" secure="true">

                      <ssl name="ssl" key-alias="myalias" certificate-key-file="mkeystorelocation" verify-client="want" ca-certificate-file="myTruststoreLocation"/>

                  </connector>

       

      Having the verify-client="want" makes the server request the browser for a certificate and uses it if it presents one (I have a certificate being read from an external card reader device connected to my client machine). The issue is that when the user tries to logout, since I cannot exclude the logout page from client-auth, it again requests the browser for a certificate and the browser gives it to the server, thus resulting in logging the user back in!

       

      How can I prevent this from happening?

      • 265 Views
      • Tags: