request client certificate authentication only to some particular resource

Question

I am deploying a webapp on Tomcat, which should eventually become a platform offering several services. Sometimes I need to be able to authenticate the user with client certificates, but only when she visits some servlet/url , in order to validate the certificate and read some attributes.

I came to the conclusion that with Tomcat and jsp/servlets alone, it is not possible to make only a part of the web app to request client certificate authentication. It is either the whole tomcat server that requests user certificates everytime everywhere (clientAuth true or want), or web.xml authorization settings that are not useful for this scenario.

Is there a framework, application server, or some particular proven architecture I can use to achieve this requeriment? I thought of maybe having a separate server instance dedicated to mutual ssl authentication, redirecting the user and forwarding session parameters, but this option seems rather complex to manage. I bet there are similar solutions, just wondering if there is some reference implementation, guidelines, whatever... Thanks.

Answer 1

I've done this in the past directly with Tomcat, using client-certificate re-negotiation. The configuration may have changed slightly with newer version of Tomcat, but here is the idea:

• Configure your connector for client authentication: set its trust store parameters, but use clientAuth="false". This is documented in the Tomcat documentation:

  Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.

• In your web.xml file, use something like this:

  <web-app>
      <display-name>My Webapp</display-name>
      <security-constraint>
          <web-resource-collection>
              <web-resource-name>App</web-resource-name>
              <url-pattern>/</url-pattern>
          </web-resource-collection>
          <auth-constraint>
              <role-name>cert</role-name>
          </auth-constraint>
          <user-data-constraint>
              <transport-guarantee>CONFIDENTIAL</transport-guarantee>
          </user-data-constraint>
      </security-constraint>
  
      <login-config>
          <auth-method>CLIENT-CERT</auth-method>
      </login-config>
  
      <security-role>
          <role-name>cert</role-name>
      </security-role>
  </web-app>
  

  Of course, adapt web-resource-collection with the URL pattern you need.