I have succesfully setup client-auth for JBoss AS 7.1.1.Final. However once setup, it tries to do client-auth for every URL in the application. I need it to not do client-auth for certain URLs like the login and the logout page. Is there a way I can exclude some URLs? This is my https connector with the ssl element
Having the verify-client="want" makes the server request the browser for a certificate and uses it if it presents one (I have a certificate being read from an external card reader device connected to my client machine). The issue is that when the user tries to logout, since I cannot exclude the logout page from client-auth, it again requests the browser for a certificate and the browser gives it to the server, thus resulting in logging the user back in!