Is there a way to force client certificate authentication only on a particular part of a web application, i.e. some servlet that handles client certificate authentication?
The clientAuth parameter on server.xml set to 'true' or 'want' works for me, but is inconvenient because it prompts the user to choose a certificate in any part of the application.
On the other hand, I tried setting clientAuth to 'false', and using web.xml to enforce security only on a specific servlet. It worked, but this is limited to the users specified in the tomcat-users.xml file, hence other users' certificates are not authorized to the servlet by tomcat.
I need to be able to restrict client certificate authentication to a particular url of my application, while accepting any certificate (trusted, or even not), for authentication and provisioning purposes (the servlet basically reads the information from any certificate, the application decides what to do).
I know there are similar questions like [1], but I did not find the answer that suits these particular needs. Thanks a lot.
[1] Using CLIENT-CERT for Tomcat without specifying a username
