1

I am trying to create a java servlet application that requires client certificate authentication, but only on specific pages. I would like to have a landing page that doesn't require any sort of authentication which will have a link/button to go to a page that does require authentication. Is there a way to do this?

I am using OpenLiberty as the servlet container. I am familiar with using ClientAuthenticationSupported="true" (in server.xml), but I do not want the user prompted to select a certificate until they reach a certain page. I have also looked at HttpServletRequest, but don't see a way to force a specific type of authentication with the available methods.

I want the user to be prompted like they would be visiting prod.idrix.eu/secure. Is there a way to set a servlet's authentication type programmatically to accomplish this? Any help would be appreciated. I think this can be done using two different applications (one that does not require authentication and one that does), but I would like to keep it all as one.

Thanks.

Improve this question
1
  • This is all done with Container Managed Security in your web.xml file. Commented Feb 17, 2022 at 0:37

1 Answer 1

Reset to default
3

In web.xml you can specify security-constraints that will include URL patterns for the pages that should be protected. You can also configure <login-config> to use CLIENT-CERT authentication method. In the server.xml then you configure your user registry and mapping between cert and user. More details here - https://www.ibm.com/docs/en/was-liberty/base?topic=liberty-ldap-certificate-map-mode

Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I currently am not using a web.xml because I am using servlets 3.0 annotations. Do I need to move my servlet mapping to there as well? Or is there a servlet annotation way of doing security-constraints? And is configuring a user registrary required? I would like to allow any certificate that is trusted by my keystore.
@thewalruswaspaul It is possible, but much easier and cleaner will be via web.xml ;-) And you can only define security there, you can leave your servlet annotations as is.
thank you this has definitely led me in the right direction. I have been trying to do the same steps, but for basic certificate map mode link here. I am able to lock down a specific page, but I am never prompted to select a certificate from the browser unless I have ClientAuthenticationSupported="true" or ClientAuthentication="true". Is this how it is supposed to work? If I switch my '<login-config>' from CLIENT-CERT to BASIC it will give be a form popup, so it seems my web.xml configuration is correct.
@thewalruswaspaul yes, you need to have one of these ClientAuthentication... in your SSL config to trigger cert request. See here for details how it works - ibm.com/docs/en/was-liberty/…
thank you. I was hoping I wouldn't have to use one of those because I just want the certificate request to appear on a certain page. It seems like that is not possible using Liberty. Thanks again for your help.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.