Using CLIENT-CERT for Tomcat without specifying a username

Question

I am trying to make a Tomcat web application use client certificate authentication for incoming connections. Everything works fine when using clientAuth=true in server.xml,

Answer 1

First of all, it sounds like you want clientAuth=want instead of clientAuth=true: that will allow the client to provide a certificate but not absolutely require one.

When you use authentication of any kind, Tomcat (or any servlet container for that matter) must be able to build a Principal object out of it -- one that has a name (usually a username). The container then must decide what roles the user has in order to properly authorize a particular request. So, Tomcat will need to know about the users beforehand in order to make authorization work.

On the other hand, if you don't need any authorization, you could set clientAuth=want and then use a Filter to verify the certificate. There's no need to use CLIENT-CERT authentication if you are already doing your own checking.