Skip to main content

How to make client authentication optional

No replies
anusheel
Offline
Joined: 2008-06-11

I have a JSF webapplication, I need to enable SSL for 3 pages and need client authentication on only 1 page out of 3 (CertificateLogin page)... application has in all around 15 pages (JSPs)

I thought that it will be possible with following configuration

web.xml
-----------login auth
------------------CLIENT_CERT
-----------Security Constraint for 1st page
------------------data transport = CONFIDENTIAL
-----------Security Constraint for 2nd page
------------------data transport = CONFIDENTIAL
-----------Security Constraint for 3rd page
------------------data transport = CONFIDENTIAL
------------------auth contrained ON for ANYONE (so that this page triggers client - cert authentication)

domain.xml had client-auth-enabled = false under tag for

This did not work and IE 7 and Firefox both could not display any of the 3 pages above. i was expecting all of them to work (atleast first 2)

It only worked when client-auth-enabled = true but then all 3 pages were asking for client authentication (last page hit (page 3) was asking for client certificate 2 times per request. first 2 only asked once per request).

how can I make client-authentication to be required only on a subset of page (s) under SSL pages category of a webapplication. i don't want to set client-auth-enabled = true.

thanks