The SSL Connector in Tomcat is configured to optionally request client certificate but it will not fail if the client doesn’t provide any certificate:

There’s a bug in Tomcat JSS so this option doesn’t work now.

See also The HTTP Connector.

In the web.xml most REST services are configured to require certain roles. This will trigger authentication and authorization process.

In the context.xml each PKI Web application is configured with an authenticator and a realm:

The fallback authenticator will authenticate the user certificate if it’s provided. Otherwise it will request username and password. The actual authentication will be performed by the realm.

Tomcat requires that the classes for the authenticator and the realm must be stored in common/lib. The problem is the PKI classes that do the authentication are stored in the WEB-INF/lib, which is not accessible directly by the realm. To address this problem, a ProxyRealm is created in common/lib to satisfy Tomcat’s requirement and a PKIRealm is created in WEB-INF/lib to execute the actual authentication. When the Web application is started, the ProxyRealm will be linked to the PKIRealm (see CMSStartServlet.java below). The ProxyRealm will then forward any incoming authentication request to the PKIRealm.

See also The Realm Component.

• PKI Server Authentication

• Enabling Password Authentication

• Configuring Authentication Managers

• SSLWithFORMFallback

• PKI CLI Authentication