This page describes a Tomcat setup for SSL Client Authentication with fallback to FORM authentication. This is not for using FORM based authentication over a simple SSL channel - you do not need SSL client authentication for that.

SSL Client Authentication (sometimes also known as "Client Certificate" authentication) uses the SSL protocol to authenticate clients based on a X509 Certificate. Normally this is accomlished by configuring SSL in Tomcat, and then configuring the Web Application's security descriptor to use "CLIENT-CERT" as the auth-method in the login-config section.

We found for a number of application that we wanted to implement 2 levels of security - client authentication based on SSL certificates for serious security, but FORM based login as a fallback option. This requirement can exist for a number of reasons:

• for customers who do not want to make use of certificates
• for when the customer certificate expires
• to permit customers to log in for the first time without a certificate
• to allow different "user-levels" - high security vs. low security, with different functions available
• etc...
  

In trying to implement this, we found the only "standard conformant" solution was to install the web application multiple times with different authentication configurations. This solution was very unsatisfactory for us, as it leads to a duplication of services, and the serives are accessible under different URLs/Ports depending on the desired security level. That just wasn't what we wanted.

So the following solution, unfortunately, is not standards-conformant. This is because the J2EE standard, while deferring authentication to the container, specifies the authentication method in the webapplication deployment descriptor (web.xml). There, only one login-config section is allowed, which counts for the whole application. It does not permit you to configure a fallback login method.