I am deploying a webapp on Tomcat, which should eventually become a platform offering several services. Sometimes I need to be able to authenticate the user with client certificates, but only when she visits some servlet/url , in order to validate the certificate and read some attributes.
I came to the conclusion that with Tomcat and jsp/servlets alone, it is not possible to make only a part of the web app to request client certificate authentication. It is either the whole tomcat server that requests user certificates everytime everywhere (clientAuth true or want), or web.xml authorization settings that are not useful for this scenario.
Is there a framework, application server, or some particular proven architecture I can use to achieve this requeriment? I thought of maybe having a separate server instance dedicated to mutual ssl authentication, redirecting the user and forwarding session parameters, but this option seems rather complex to manage. I bet there are similar solutions, just wondering if there is some reference implementation, guidelines, whatever... Thanks.
You can't do this with Tomcat alone. Client authentication is per webapp at best, or you can set it for the whole container in the server.xml Connector element, whatever use that is.
If you need this per resource you can get it by using Apache HTTPD in front and having it terminate SSL. (It will still pass the client certificate in a header to Tomcat so that Tomcat can obey the Servlet specification about making it available to webapps.) You can then configure practically everything about SSL right down to the level of individual files. This also gives you all kinds of other goodies like load balancing.