Tomcat server uses "Client Authentication" to ensure users are valid
SSL (Secure Socket Layer) allows web browsers and web servers to communicate over a secure connection with both the browser and the server encrypting traffic before sending out data. Authentication is an important part of the SSL protocol and typically involves a server presenting a set of credentials to a visitor, or a “Certificate,” as proof the site is legitimate. With “Client Authentication,” the server asks for proof that the visitor is who they claim to be. Most SSL-enabled web servers do not request Client Authentication.
How the client certificate authentication works in Tomcat
The CLIENT-CERTauthorization in Tomcat works in the following way:
1) If tomcatAuthentication="false" is set in server.xml, Tomcat simply takes the username from the AJP request and assumes all authentication has already been done.
2) If tomcatAuthentication="true" is set, the CLIENT-CERT will result in the org.apache.catalina.authenticator.SSLAuthenticator valve being inserted automatically into the application Context.
Remote User: does not retrieve the remote user information even with successful authentication
There are two types of authentication information that can be retrieved from Tomcat.
First scenario: The Apache Server side authentication.
Second scenario: The Tomcat side Authentication.
To configure Tomcat in retrieving the Apache side authentication:
1. In the httpsd.conf, set up authorization for the protected directory. For example: