I am deploying webapp on Tomcat, which will eventually become a platform offering several services. Sometimes I need to be able to authenticate a user with client certificates, but only when she visits some servlet / URL to verify the certificate and read some attributes.
I came to the conclusion that only with Tomcat and jsp / servlets it is impossible to make only part of the web application to request authentication of the client certificate. This is either the entire tomcat server that requests user certificates every time everywhere (clientAuth true or want), or web.xml authorization parameters that are not suitable for this scenario.
Is there any infrastructure, application server, or some specific proven architecture that I can use to achieve this request? I thought I might have a separate server instance dedicated to mutual ssl authentication, redirecting user settings and session forwarding, but this option seems rather complicated to manage. I am sure there are similar solutions, just wondering if there is any reference implementation, recommendations, whatever ... Thank you.
source
share