Client Authentication in Tomcat (HTTPS)
I have an application that runs as a filter inside tomcat (and tomcat is the webserver). This application receieves requests from external parties, and I need to authenticate these requests.
I am using HTTPS certificates. The server (me) authentication at the client seems to be well discussed ( http://tomcat.apache.org/tomcat-4.0-doc/ssl-howto.html) but I am not sure about how to configure my tomcat to authenticate the client certificates.
Setting "clientAuth = true" seems to only enforce that the client send their certificate, but how is the actual authentication done?
If this is not the right forum, can someone please direct me to the correct one?