3 Replies Latest reply on Jul 6, 2006 11:10 AM by chris griffith

    ClientAuth configuration question

    Jeremy Fox Newbie

      Hello all,

      I am working on a project that would like to do something that I don't know how to accomplish.

      Is it possible to configure a site where certain contexts/directories on that site require client authentication while others do not? (All communications must be done via SSL on port 443 as per requirements.)

      Basically, we need to host a few pages that don't require the user to present their certificate in the event that they do not have one.

      Thank you for any input,


        • 1. Re: ClientAuth configuration question
          chris griffith Expert


          Java Servlet Spec's declarative security does just that. See jboss server guide security chapter http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
          as well as wiki http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss


          • 2. Re: ClientAuth configuration question
            Jeremy Fox Newbie

            I think I see how that would work for standard security - the part of the problem that I am struggling with is that we are doing 2-way SSL.

            I have clientauth="true" in the connector configuration in Tomcat's server.xml. Basically, that has made it so that everyone who connects to the site has to present a certificate.

            What I need is for a few directories to not require the client certificate.

            For the record, I am running JBoss 4.0.2 with Josso, in case that clears anything up for anyone. Sorry if I left out some details or was a little hazy about them the first time around.

            Thanks again,


            • 3. Re: ClientAuth configuration question
              chris griffith Expert


              I think you are merging two separate issues of authentication and encryption.

              You can specify that the conatiner use client certificates as a means to authenticate a user by setting the auth-method element to "CLIENT-CERT". This means that when a user tries to access a restricted resource as set up in you web.xml using security-constraint elements, the container will attempt to authenticate user by authenticating a client certificate in request header.

              As a separate issue, you can encrypt the transport of data using "two-way" SSL. Which requires a client certificate to be checked by SSL service. This is done by setting a transport-guarantee element to "CONFIDENTIAL" in a user-data-constraint element in web.xml.

              I would think what you want to do is...

              1) secure some url's (i.e. resources) using "CLIENT-CERT" authentication method.

              2) then add transport garantees for those secured resources of type "CONFIDENTIAL".

              does that help? cgriffith