Tomcat 6 Ssl and Form authentication side by side

Question

Is it possible to use two authentications methods side by side in Tomcat 6.xxx?

Story:Right now my app runs on ports 80 and 443. In 443 connector there is clientAuth="want" parameter. If client is coming over 80, no cert is required. But when client is coming over 443 and client has smart card in reader, the cert is automatically asked, even if the client don't wan't to log in.

For login with user-cert, i have FormFallBack authenticator, which means that if client doesn't send certificate (he has not smart card in reader) or certification fails in authenticator, authenticator directs to form, where he can login with password and username. My english isn't very good, so here is better overview of similar system : http://wiki.apache.org/tomcat/SSLWithFORMFallback

But the process of asking user-cert is annoying for user if browser multiple times asks for cert, if user don't want use smart card for login(but he has it in reader), instead he want's to login with username and password.

So is there option for following: I have login page where are username and password field and login button. If user presses login button, he will be logged in with username and password(directed to form authenicator).

But in the same page there is button "Login with smartcard". If he presses this button, the server asks for user-cert and gives it to authenticator.

Hope you understand the problem.

Answer 1

See the AuthenticRoast project in Google Code. It does exactly this and more.

Answer 2

If you keep the authenticated state with the servlet session, you can offer to log on via either a form or client-certificates by providing two distinct buttons (or links) indeed.

I'm assuming here that you can have paths like /login/form for the form and /login/cert for authentication via a client-cert.

You can trigger client-certificate authentication on demand, when visiting /login/cert using SSL/TLS renegotiation. To do this, use clientAuth="false" in the connector configuration, but put a security constraint on that path in the webapp, using <auth-method>CLIENT-CERT</auth-method>: this will trigger renegotiation when required.

For this to work, you'll need a version of the JRE that supports RFC 5746 (Oracle Java 6 r22 or later), and your clients should support it too. Modern versions of browsers/OSes should support this by now.

Answer 3

I believe you will have to write your own Tomcat authenticator that understands these requirements.

It may not actually be possible because AFAICT you are asking to be able to reconfigure the behavior of the SSL connector on a per-user basis, and you can't configure the connector for the user before the SSL negotiation has taken place.