I need to apply SSL "Mutual Authentication" for Web services (SOAP) and the "One Way Authentication" for Web pages to avoid having certificates in the browser. For informationg, the GUI and SOAP Webservices are in the same war module.
I used SSL Mutual authentication at the Tomcat container level:
<Connector port="8443" protocol="HTTP/1.1" connectionTimeout="20000"
SSLEnabled="true"
scheme="https"
secure="true"
clientAuth="true"
sslProtocol="TLS"
keystoreFile="D:\certificates\demo-keystore"
keystorePass="xxxxxxxx"
truststoreFile="D:\certificates\demo-truststore"
truststorePass="xxxxxxxx"/>
Thank you in advance.
Based on Tomcat documentation about clientAuth attribute:
Set to true if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set to want if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. A false value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that uses CLIENT-CERT authentication.
I set the clientAuth to "false" and configured CLIENT-CERT authentication in the WEB-INF/web.xml. This will require a client certificate for Web services with url pattern /ws/*:
<security-constraint>
<web-resource-collection>
<web-resource-name>CXFServlet</web-resource-name>
<url-pattern>/ws/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>