Recently I was asked to configure a web application using client certificate authentication. I did this is using Weblogic Application Server version 10.3, however the concepts for this apply to most application servers. The following sections describe the configuration changes that must be applied to the environment for this to work.

Web application

The web application needs to be modified to restrict access to resources and require the use of a client certification. In order to do this modify the deployment descriptor of the application by adding a security constraint:

…

<security-constraint>

<display-name>Sec_Constraint_1</display-name>