I have a java web application that supplies a REST-API for which I want to implement client certificate authentication. I am using Tomcat 9 Web Server to deploy the application as a warfile.
I only want this validation for the REST API and not for other applications deployed on the same server or other requests (for example the user interface).
Requests without a certificate or without a valid certificate should therefore not be blocked by my Web Server so I can verify the client certificate in my application code.
If I do not configure Tomcat for client certification, I cannot retrieve the certificate within my application code.
I have tried to use the following configuration:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443"
maxThreads="200"
scheme="https"
secure="true"
SSLEnabled="true"
keyAlias="tthserver" keystoreFile="C:\Temp\keystore\keystore.jks" keystorePass="PW"
truststoreFile="C:\Temp\keystore\truststore.jks" trustStorePass="PW"
clientAuth="want" sslProtocol="TLS" />
This however blocks requests with an invalid client certificate.
You will need to add the CLIENT-CERT login-configuration in the web.xml of the webapplication deployed in tomcat that needs client authentication. Other, web applications need not have this configuration, so when client access resources of other web application, the client authentication will not take place.
For more details you may refer to the link below: - https://users.tomcat.apache.narkive.com/C1hxh39a/tomcat-and-client-certificates