I am trying to make a Tomcat web application use client certificate authentication for incoming connections. Everything works fine when using clientAuth=true in server.xml, however due to other applications running on the same server, we cannot use this in the production environment.
Is there a way to form a web.xml document such that it forces client certificate usage for the application in the same way as clientAuth=true? It seems like using the CLIENT-CERT setting also requires you to setup a tomcat user account for each certificate which is to access your system? We need to be able to allow all certificates which are from a specified CA (set in the server truststore) where the subject matches certain rules (checked within the actual application). I was hoping that something like the following would work, but no luck yet!
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>