Client Certificate Authentication in Apache Tomcat

posted by SpringSource on March 14, 2010 11:26 AM

Tomcat server uses "Client Authentication" to ensure users are valid

SSL (Secure Socket Layer) allows web browsers and web servers to communicate over a secure connection with both the browser and the server encrypting traffic before sending out data. Authentication is an important part of the SSL protocol and typically involves a server presenting a set of credentials to a visitor, or a “Certificate,” as proof the site is legitimate.  With “Client Authentication,” the server asks for proof that the visitor is who they claim to be. Most SSL-enabled web servers do not request Client Authentication.

The CLIENT-CERT authentication in Tomcat works in the following way:

  • If tomcatAuthentication="false" is set in server.xml, Tomcat simply takes the username from the AJP request and assumes all authentication has already been done.
  • If tomcatAuthentication="true" is set, then: a: CLIENT-CERT will result in the org.apache.catalina.authenticator.SSLAuthenticator valve being inserted automatically into the application Context. When a request comes in, the valve does the following:
    • It checks to see if there already has a principal associated with the request. If there is, it assumes that it has been authenticated in the past. otherwise it invokes the authentication realm.
    • If the authentication realm has validate="true" in server.xml, the Realm will validate the certificate. If validate="false" is set, then it skips the certificate validation check.
    • After the validation step has occurred, it simple invokes getPrincipal(username) with the usermame information taken from the first certificate in the chain. If the username exists in the DB, the authentication process will get through. There is never any password checked.
For more than 10 years, SpringSource employees have been supporting Apache technologies, with unparalleled experience and commitment to the Apache Software Foundation. More than 400 of the Fortune 500 count on SpringSource to support their mission-critical business applications. Leaders of the Apache Software Foundation, including Board Members, work at SpringSource and dedicate a significant amount of time further developing the Apache Tomcat open source project. Over the last 2 years, 95% of the issues fixed in the Apache Tomcat project were fixed by SpringSource engineers. For more information on how SpringSource can help your enterprise, see the SpringSource website, or call 800/444-1935.


It sounds like a simple

It sounds like a simple standard mechanism. I wonder if revealing the security mechanism won't enable hackers to breach it. I am using endpoint encryption but when it comes to security one can never take too many measures, I learned that a long time ago.

Game Hack

cheats for pixel gun 3d I can recommend primarily decent and even responsible tips, as a result view it: clash of clans gemmes france


This is going to be something that a lot of people will get confused with. It is always better that you seek some professional help from people who have tried it out before. This will ensure proper understanding on what to do. sell british airway points

Apache Tomcat sessions

i don't use for it thank you for share this information i like to use for this session thank you for share this information please keep share for this types of information.
custom essay writing service

Very useful post. This is my

Very useful post. This is my first time i visit here. I found so many interesting stuff in your blog especially its discussion. Really its great article. Keep it up! , ,

Post new comment

This question is for testing whether you are a human visitor and to prevent automated spam submissions.