From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 14 Aug 2012 11:23:19 +0000 (+0000)
Subject: Working Client Certificate authentication.
X-Git-Tag: argeo-commons-2.1.30~871
X-Git-Url: http://git.argeo.org/?a=commitdiff_plain;h=2cfccc5b921ec8f53c0b28e8b54d2db205b7f95e;p=lgpl%2Fargeo-commons.git

Working Client Certificate authentication.

git-svn-id: https://svn.argeo.org/commons/trunk@5507 4cfe0d0a-d680-48aa-b62c-e0a02a3f76cc
---

diff --git a/demo/log4j.properties b/demo/log4j.properties
index 15ce795ea..06e71583d 100644
--- a/demo/log4j.properties
+++ b/demo/log4j.properties
@@ -12,8 +12,6 @@ log4j.logger.org.apache.coyote=INFO
 log4j.logger.org.apache.directory.server=ERROR
 log4j.logger.org.apache.jackrabbit.core.query.lucene=ERROR
 
-#log4j.logger.org.springframework.security.context=DEBUG
-
 ## Appenders
 # console is set to be a ConsoleAppender.
 log4j.appender.console=org.apache.log4j.ConsoleAppender
diff --git a/demo/ssl/ca.crt b/demo/ssl/ca.crt
new file mode 100644
index 000000000..4b46c47fb
--- /dev/null
+++ b/demo/ssl/ca.crt
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF6zCCA9OgAwIBAgIJAOn32kF0OI4QMA0GCSqGSIb3DQEBBQUAMIGLMQswCQYD
+VQQGEwJERTEPMA0GA1UECAwGQmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xDjAMBgNV
+BAoMBUFyZ2VvMRMwEQYDVQQLDApBcmdlbyBEZW1vMRYwFAYDVQQDDA1BcmdlbyBE
+ZW1vIENBMR0wGwYJKoZIhvcNAQkBFg5kZW1vQGFyZ2VvLm9yZzAeFw0xMjA4MTMx
+MjU1NTJaFw0xMzA4MTMxMjU1NTJaMIGLMQswCQYDVQQGEwJERTEPMA0GA1UECAwG
+QmVybGluMQ8wDQYDVQQHDAZCZXJsaW4xDjAMBgNVBAoMBUFyZ2VvMRMwEQYDVQQL
+DApBcmdlbyBEZW1vMRYwFAYDVQQDDA1BcmdlbyBEZW1vIENBMR0wGwYJKoZIhvcN
+AQkBFg5kZW1vQGFyZ2VvLm9yZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoC
+ggIBALNi3ZG2IxSvn/Ach9zpEIz2Nn7o/cMY/oUocBL9Pq+gcwBEnAyiC9MaJKDR
+M3HmIFMYrQ/6TdeSBblw1IO7ykeneybWpCEEA7zoK0DquXDRiuEyBWR+mz6JV/ce
+wrVo2bOnAUJgIfYUiEzYAT4j/+3qGUwokBAVbj+KSEnd5TnbMcbhRPzSW+Ghu/FL
+LIevq9BLRPQabLQTNvgVHGHX6iYTls7Y1jJaNe07mMfJOOuf2dfomiie7tMAyXKD
+XFg7vGRkW7kkSdXAvoasTXbmPj1AcxKKUtMqtoaMH0Lvl+4z1j9Zyi6Kg/7GZoE/
+uNZmSdVF/Qpx6VDcFGY8LaqUE9CNJgfvo6El0pXz+KZwV1nMMYLCM/bWSfR9tOob
+oHJW59C/JDGKY+1zEYuMlihGp2i/yM7PTw5Hi/Oi0L7gd55VesgVqm82lPmC1xUL
+bX7zI2lhVth7nMDbhmFMWxNGfuyuRFPNUR0VWhet8lYhrAHOA/r16T6cuKnzunmU
+3f9jmTZCxBD5PuFCCaZkrN2TYCTsI10K2EOXNPwJVPbBT6fkFhqFTU2eFiqcW95+
+e3t/HuGSUF6s/sDmSWJCDttnNKp6zGIGcB6xiUbuRkeV25PQq/UPQvxvBr7Df3I1
+PUneYQjjg4MXx+UvSdoRgPuPARpJBfJR4hVw2A/6MbkEfZ0BAgMBAAGjUDBOMB0G
+A1UdDgQWBBSnHbEv8ezkwPT+5UqmZllpM5NEAzAfBgNVHSMEGDAWgBSnHbEv8ezk
+wPT+5UqmZllpM5NEAzAMBgNVHRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4ICAQCY
+ZnF5ThcQfyUsqs7dGEb4j8WmnZ2+swueCp5TqkCtQU/0p63G5VwHoVkZkG9zBR5O
+JFqYO+UX8/jnbAeLfsw1+QW1IDzE1YIgmb8h8/j+erzO3krdEyweH3BcctaP3uJQ
+8AfMf3A6SamwXU96jNoRM6vPlMesM4ec82pTmspp5KSiP8JZ51tgeJm01Yr+WYF/
+3pDRjc0fJMfHfV1jRfVblTkaTYuIe9T+dpjWrh7t1u1M7nvPW6QWj2rbw3X9U/NR
+n0jyA063kskwWyY/uGXGIt+oCFhN323Jr1nQ8ZEJK38apS78xoC0Sxm5HQ6b8TII
+Jtc2YMPG0v2ygzN/lLlT1VnZfz6gPbFSv+otstQC7Kchdi6geQg2omYQVUzUCZEp
+Y8CQZTkXTEsrIaoIz/xn70RQAq8VQL4M42xfG/Z9WN+ype8fr2TMMrn9pRiLsnJd
+IQN5Tw6SwqqPLzfUirki4WY6up4wH11h9xyWeKAcK5rWq5qStlvdYmBDFUmnsXQj
+qdmNe96oZuZibS7+I0VER6/32u/MV2bHK6yXQEswXHrifHFvvq42HBayNdVPQZUG
+Y5Qrjo/19pAFmZFFs694TMz/85GtBnJkKBnciKrru1uzHMYo6Kim++wgPwfXNHXx
+gVYg4+NLjeXv2q178QtGxbKoHkqA7Q3lLEb4lw76gQ==
+-----END CERTIFICATE-----
diff --git a/demo/ssl/ca.key b/demo/ssl/ca.key
new file mode 100644
index 000000000..0888ad39b
--- /dev/null
+++ b/demo/ssl/ca.key
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,EBD71584ADEE8FE7
+
+L7Y9YmFRL/6tpCIskTGAp6St/9xx7dDMaFWk5AGPXk2q1hSV6XPp8m4zrJng2Cfd
+0iTP5G4p9zlceA6cV5lXFtZk9s3H6K38Pr2MtQ7pVMC9ZSXLeM+w1hj48Sdoe/ak
+oMhx9e6NVW9U4Lo4qX1lR4XE7NhdLf5nCAcB1zzwqbah8YnyKvkWjYFznfOz0ccV
+AQhsskfnUDNVB7SBQfvkJ2K5QVH9ElT81D8c323Cs/+7qD1NTEPNDQaB1XtUoTFr
+qMbgQKlGgku0CHpE9mnAfhrDiIox/kPk10jro2mSbeQraRkpxkudvADNEc0MLBUs
+cWfo4GkrvwWyZnFuVCZMjB6vJ8mVIVSZ0AEiTIq/sC+jiIfjSvAsaFdlV7BlUR2U
+KS7mnqivb6kRksyP5Om38MOF79KmxtLl7Cn4bio+qsQLcKBQwNoTqD2dFHVNdoTV
+TjP08xk+80oN0C246ZBeZLqwpfeXD71YQ5fkmw6AulJFr3NZDA6EAm6sJm+mC5fL
+a6JgnXe7ZBPnzzbHgm+8DOWa8kYh7lJ1iYPyg2iqK8O6t2jgl/C69pi6Qc/6NMry
+g6jyp0DnwpZG4P6pgy5fbbEqFOs6RkiFRtsQs88XDEE5tiJBtv9btHFZ16YGXr9V
+OL6/M5FIkHb/VC9+w+9ap0nyH8GtUMgx59gwAWPKbu5PC/4tZMts98btGzF6kV2A
+09/aI1RP79ImWLQtSy5BgjNozJ0biXdz1mSwgvrqz3TGySvwFzVGge1PMbJp+1iv
+XpkZGcS42OmHudDpK36QmWr4xizh8SOZLSW3803Mo8GkDT5xNz9w3xIZiXcXNAKt
+WE6U7nFuUpxvofnGjp9Shljt5HpYjqmB0cl3/y0n9wiZd5WeIYTC4PwmXH6qEyGO
+nh5WYOUNWtpVYHsmq6D0x1T3YXATBCWGFmDwJksnoWb3Czm49NJJpN837HynHcWG
+EBWQXWbzCZPp9C/lgttaOR67/QV6fl7aLx14jSbwWdgtCeQWDzYyL2vPr2m5xYOI
+ZgbYy6ULhGjsuMlD4JZEo2HFtU+5iw0sGTarp5xnB3v8AuiSzAJVGnGF55dcpTJ0
+DNaWv/xUt4s8GJgUPPPqhSibU/O9Mt4O2KxQl9wD424/tDFt4PArlDD2d+Xj29Nw
+2eWP8jlPZ6raAzp7ZFHB+SJBw49LF4ztGzSPWsmIWymBhfx1+d3e9LuqzHfVs83X
+9VjEY/i+xjIdry9Q1FWkTHbZgvYLVJ7fxenMT7nI8PPaecvQ4icEnB1zLGj4wbSc
+eFUsu+LkDb+SJOWh55xWlaiKsa4Qxll/1iHQ5xC2libjZU7sNmK0iJW1hOotF5RG
+ahWVbntVmqmVNm60IneckiQ1SLjlanOcM3QDFddjtmlCQ4OGMO6za8JRXErnKlhS
+I4P8Kzi889H5c9Y7l0GBarvdwrolWjgi80UHXkiNy6tU/3kn9+PB6RNZqzdng6dF
+dk4pQtqlEEkSBqqlPOXmRvDX+Ka60laDPzKefXrTjG8Y3EimRA7ngwhZMeONGMM9
+08wQI5lBVTJHvhFabnbbu1C6r8jd3es0u9AhXqI1WhILnR8DW/FwQFMLdIynYh9H
+41NLHCTaWslYlfBhAao+wnqL2BEN+fz2vxr27jZiQaovYMOA/0flH2rfcCigUtog
+EhVPCn4b5+qUZYux2RkBdhkJu2raJc6dtlTtsl/5KjHTe5wd0C3JeK/S0AaSeJG9
+/0xZvWcW4kVjovat9JPtuB6YDMH/gWmJby607iozF5z76rUAKmhObVNkW3C6+g1f
+ecpl7h6F5646oRMBh388sIYCfWtgYqZcuOiFylzDf0ZCAUlKMHIvQnbedHFu3VIS
+JK0teqwmIAmcsS1a91gn9N8GBVkzmf4BUTVXgWMQjtPJTCz4ZyFJvHHMrq5Ojocp
+/1sSU3iK4DuKeHRU5jr1c0YrGfREK8Gqxw1Ieh9Ah56zdWiGhXrlR5TH1mJJ0uFR
+ADNu/LoijVdLuJGMUneWS7qmPhLkzPv04sR2Ed7n7+E8Xn29lCgA68z5glaLEG8K
+HtlUGwNocnorrx2snQ77irbL+u4Qz/dfjJHmKu0JQvhM3XECqfQH3KLwmTnl0CxY
+zve3mlRV9LkVmOFINWH+bK+BiNBmgtm9mXRFyTQK3yUfqi/u3Imj1a3h3IL1S2rT
+IU6jkcoEvEQTmNiLIUg3ontwrHXm0kQA6RRccP6jYCAN4ao5iy9BfmDOmoOfdYuu
+qLrsB9JUuGyqEirrrApaNRhKNdJx8viVB9NDEO699CRMiEq0vIQqEBnsqmiq6hC1
+rJ+2+IGwa2Jf9qYtiCvGw+xaB0+x+nlb0uy9b+orzlKwX3UlUIs/AongtIcYe+BK
+Dwe+0yJ1gpkWoykR8hjx1b93QdTjamofqk2YJyBFUdrnn3lPJKvNyW2SgF0ZpkjQ
+ck1vo+lpZsvsXM8SbIJHfk0Mqat/BikB6bNXZs4FD6gn+dtPWCgPIDfYqhq+qe00
+zx2ZETYV9FRflZfIBg8xPJwj33NPO7j1HStBgtLSxLulkg5aVnpf/Qt5plgF+Ifs
+lnK9AYm9ah+3CbhOT9KoxzuNDOIbFlPkpUiC9v2bTtEE+mQrE4tag3L8IYzdaZCZ
+lgyPVnp1TQ6AiU/z0EkWvKTzcxcd8ujBjWk1NEaiNEowfxfB0CDnLaA0IN63pVwq
+H8QfQlIbAKKhRc9A7uoXrhO0YY0H2Sahd2AZnQkLPdUIUzp/JbeKC9JpmRnIF60C
+vdl/mUa5iqU3MihYOl9ykSD4V5iRYiB4QTIzF6TlyWW5RtrZh5m0jTFdh9D9uoro
+9HOs+ObdQg8UyBUQpII3ATr9Rf5r5uIml1ktbj97X7yBmdVXM8hHjkN7CzDHgWLh
+stbNBpoMf4dVaRHDm/wGn0jfqjeSUzEbnetpwseUbmiEjTXrYDyZ01Cf9gLq/8gs
+mqemNwLz16tGede34zQc5vHChEc3xJqbBIR5y7TCcDnEFDwKKLk3V5YpaTTLqT+y
+b9Espm2OovhBHQKDWqg8L5CRi1QTwyIjZHo++OlVlIslbsQlbqqkADBLhQcSB44i
+clxNml0TiqSYlY55MfBqmt5fbPYHI91Eg+/RbkfaW7supPjI0meS/idWX9r2FHLM
+-----END RSA PRIVATE KEY-----
diff --git a/demo/ssl/root@demo.crt b/demo/ssl/root@demo.crt
new file mode 100644
index 000000000..1f8a18c0a
--- /dev/null
+++ b/demo/ssl/root@demo.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFiDCCA3ACAQMwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzAR
+BgNVBAsMCkFyZ2VvIERlbW8xFjAUBgNVBAMMDUFyZ2VvIERlbW8gQ0ExHTAbBgkq
+hkiG9w0BCQEWDmRlbW9AYXJnZW8ub3JnMB4XDTEyMDgxMzEzMjM0MloXDTIyMDgx
+MTEzMjM0MlowgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzANBgNV
+BAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzARBgNVBAsMCkFyZ2VvIERlbW8x
+DTALBgNVBAMMBHJvb3QxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAZGVtby5hcmdlby5v
+cmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrOC1BS1Qotq9D5NAg
+5761ATNjMNMsg3SFkbnVIY5bzraY+lxs2qW5I9BXEHGDIGXJoden8VmBI7Bd5vCE
+8yNu8VlhfwNOuDF2NQVCSzUU7LUzJuEW/CBo1zgES2RYaH8Rt6+/4VVEm6DFI+Dr
+7GVeJh/f2LIZuKvurz8wyxvbGAXeF1p6lerS5/Qw4JE/wgVLCecD92WP3zbMyj3I
+Of9njNJQ8w8lNVcu4LX0pNQHFyTotasMPAgnu6YZ9uWGjwb6fItl8JbFZSuQER1B
+d7stjbzvcFCBJ/ZdWm237nqfQXLakOqJvUEvzo1cVcDW8slTX/Ird2LKN5VslPyV
+pBxRUT8FhOANVnGP6E4iqhRMYyRW1i0e9+QRvhhwVIrC6NpMCYnZm3DponNIzZGF
+B7cHkT//vS2w4r5OtLVb2RleXGzxLag6GsVNyI74Abi4bsM/H+9CKN6NsSXn07BB
+kJERdOBO80L9W7zFhJ3IVRCIXGujCcOF0WZAareWESI1CVOPMgC32xdBbw/IrnGv
+dUc5BdsOInjsOcO17LbsNpEDQQavF5SUR1SLAmsrftQoYqtsBjzCiVcAFCOF8lwk
+lcEEWLSRwCOEtsieBtxKz7UvizFPn34iqvUwoN5BdceJQVry4wjXfraScIjnrHv8
+/6pvW/N63WJJODhQVEK499BM9wIDAQABMA0GCSqGSIb3DQEBBQUAA4ICAQAy1dBM
+ViLw4/eBUTtpZvlMotw0booS6opEKxAUuC7YDMkKwW4rqDxJTpyVKgC61q4Q5wyH
+fripqwJPgF6+aqDlRE3YHbHFHq+iKYSD582MIy7Bb1kmqvw+CkSWgaZFJiRuDT/2
+QCdEcWPYFRWP23/GuNZurd3M8GA+7Pd10XnqYbZgXLAdVVz+I4JzFT9KReVOY4Ne
+ZWSnzXb092FCpy/REUg0vUKKze5GzCiBfTTEAb4CpnY8HHlvcBsL2tNABhcP+gu2
+b7/LlhRZqlMaidJhGz2UH6WqXWweYce7ldpZ8khuxF2Rbnb0upIUuJgCKeJ1HckE
+JIVTiOJ7ZV2KSphpkVgiGqJidonTPOY46lihk0ZqGnbXfHXtI4JYKorLikefztS6
+8ExVVpbHZpTz9plqxc7/VpNqLGLwwDXRkIEMBR0OgIecVnSTe5vCdFnGZACwqHa4
+iy4hDmf6iBb7CmOAcP5W0w3yZ/p/jrc2K2lKglcU161pR7uCsStLaRh5Mec9MGpx
+K38Qaecm8NtC06I5aCPMA+5UrXdrsNvmeKZUwaztskkBzV9RibW/ogfoZeDpCh66
+HHG4Tgpkra4X82D6g71Mtkl3ez3tlFiUR9K0cuxtDxwaavPAmUo7tKOAG1UBgRlS
+t8DoCPRbx0o98O/x6g37H1UWe4sEiQSUaW1LiA==
+-----END CERTIFICATE-----
diff --git a/demo/ssl/root@demo.csr b/demo/ssl/root@demo.csr
new file mode 100644
index 000000000..54c05433e
--- /dev/null
+++ b/demo/ssl/root@demo.csr
@@ -0,0 +1,28 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIIEzTCCArUCAQAwgYcxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJsaW4xDzAN
+BgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzARBgNVBAsMCkFyZ2VvIERl
+bW8xDTALBgNVBAMMBHJvb3QxIjAgBgkqhkiG9w0BCQEWE3Jvb3RAZGVtby5hcmdl
+by5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCrOC1BS1Qotq9D
+5NAg5761ATNjMNMsg3SFkbnVIY5bzraY+lxs2qW5I9BXEHGDIGXJoden8VmBI7Bd
+5vCE8yNu8VlhfwNOuDF2NQVCSzUU7LUzJuEW/CBo1zgES2RYaH8Rt6+/4VVEm6DF
+I+Dr7GVeJh/f2LIZuKvurz8wyxvbGAXeF1p6lerS5/Qw4JE/wgVLCecD92WP3zbM
+yj3IOf9njNJQ8w8lNVcu4LX0pNQHFyTotasMPAgnu6YZ9uWGjwb6fItl8JbFZSuQ
+ER1Bd7stjbzvcFCBJ/ZdWm237nqfQXLakOqJvUEvzo1cVcDW8slTX/Ird2LKN5Vs
+lPyVpBxRUT8FhOANVnGP6E4iqhRMYyRW1i0e9+QRvhhwVIrC6NpMCYnZm3DponNI
+zZGFB7cHkT//vS2w4r5OtLVb2RleXGzxLag6GsVNyI74Abi4bsM/H+9CKN6NsSXn
+07BBkJERdOBO80L9W7zFhJ3IVRCIXGujCcOF0WZAareWESI1CVOPMgC32xdBbw/I
+rnGvdUc5BdsOInjsOcO17LbsNpEDQQavF5SUR1SLAmsrftQoYqtsBjzCiVcAFCOF
+8lwklcEEWLSRwCOEtsieBtxKz7UvizFPn34iqvUwoN5BdceJQVry4wjXfraScIjn
+rHv8/6pvW/N63WJJODhQVEK499BM9wIDAQABoAAwDQYJKoZIhvcNAQEFBQADggIB
+AC9kNx1on4Twa7g0WvtRloBHxmXVxbhHaQtwQyzDarwhW973hLrJ5/5+wKzUoofe
+lw1moerhxQ9SWR8ZnlqLUj6aFZQXUi0754kVfEjmp762EByBciZg1RzgIK4YX0ln
+Sl1I1un/1rnLZo4YXay1uj0ZP99Iz/9uZK4WhrCkuYDwBFaeYDIEvG0MTwwf4hc+
+2f8xGxJ3/y6qyIe7VR2hCu2jsBGurHhf3dNVNr0wHLfpMtp8vGi7tVs/u53Kv/2P
+X1p/UznzZEbm928LAEtKGRuawlER5PVV8APFP0sy8FcpLGV0mD3eJCWFvOWz+/y5
+w3uSamgkuCYAdypxPSZrXEOrijZXDGfO8hFQfjSArD0eHf0XXx887ImVBmn0S/Hf
+lcmLdLI2Q/Ku5HEOGKGV9PsuZCcvyIlgOM0mMhmfHNbTZ1/xIq2YsI0t01RdfHd0
+zDWNxRHazBjrHhDs1gGlwcgHDswedbg6vu+q/kVrw2U2E4u12LzK3XvA1BZEidmI
+rEF/07WGRZoXndHitWeQu/lAEZbuI6h2qIJnjjI9VcAVqhDKhHXjGA1ZLBhqz1eh
+QdBEM8atOBg32l/I8GtFXTsauEkAe6hYUnvI9DdQIX+X5AInO8NsOUNNzOmmNpIG
+fxez4kWCC5zIZbSqCX7qDqZswfVdgEYLhElQquRbEDHH
+-----END CERTIFICATE REQUEST-----
diff --git a/demo/ssl/root@demo.key b/demo/ssl/root@demo.key
new file mode 100644
index 000000000..0c6c32d98
--- /dev/null
+++ b/demo/ssl/root@demo.key
@@ -0,0 +1,54 @@
+-----BEGIN RSA PRIVATE KEY-----
+Proc-Type: 4,ENCRYPTED
+DEK-Info: DES-EDE3-CBC,8B121EE89E94390B
+
+EjQARpI26YQBaqJdsM/qRqB6isTEUhNnYbKGzUpRql8bSKdszmrcxVW2eCzdPPeZ
+O8AZmg0lhRguxqRFxuHHd7hP+l3QUJRWy9FbR3Lr/x3r2FFVU6tDqt5yTNveF/Np
+1EL+vz9SE0QA6mUTE1kruLVQLrruPE78nztchdZREO/QmKk13x7ljotbRlgN3EyC
+NfPaVIyHAN9j3PqPVsNbsrFZvdo0HXWbd/zy1Zh2BGepxeCOYu2nSNQsZmaB1QjX
+rQ/g86hE35PcZuvMSjXkGYXf4mhzTWlt3h/o0mfVC+1iMTLmb0V/XP0DitIDmApL
+PM4yEfD0icg5Y9XDhbONHe1NqaI++Pq6Pz84PrxPziNREg6dUsqZDRDdvzXnogOo
+XKZ1yZBYtBt/4eptpWBd6xS8pIaNlUEApaVkNCDnnoniffxu/xVqZ5d9DcwoqImU
+IMZahuDzM5+MrFuu3BjxtQtU4mfytQ521P2NZb4wlVI+7TnveZ2sqTosj1QCX9E9
+4jh/SBi+D27wg0AAQU0eK3PVGrUZxFUCldqSfv8pABWyv+alRJ2ooUu5KLybu/Fi
+WAajrdWxwDrtqpxm9FWEW+0R4dXhr5EVmfOvTgGOsZT9fdDiAlfZiZHHs4JGG5yP
+ueUTsBgjlWoT7vmzxLNtjbJ0dlgYZzVpISbEH+kEXXzgwULF9s8CEptJ1m6hztZv
+TigK5WL09WSBbZiJZrY1tZxbWgJfL5TsI0V43qY3QzhtBPZTzlNlqzIwLDsexx1s
+AcG/B6FSTfzokG7KQJ5yN8empKFWggDEihGqDf0CpBnodSWwEEN00Ue13Mb1G+DR
+iPEUuZioiuuXJGcsr6OS/bY5NIu+bV5gyFNohzHN2ofrthaiU2hmIG2erAdtrq3C
+rxxmG4zRPYx+g/kjHEMaDnkgbtpa1f/inN7q+AbvvnV6w0I2lUsrI6Q8BcuDiRmr
+IUXPLMMFFWEEyiYatWAa9taGsKzN5k/lIw+09iFiAjuy86cvnTrWVAl8zns/pbJG
+mwv0LtfW13nYaOdkP4FknR8jDffIWohyfCaGf04zjWHbSBFMe/8mMv+6PY6RM0Wm
+Ye4e6VwCg27iLSQfH5+bTKzKvAZzSdUFCwHB04r/yO9+XpNFwMKWxmSWvSUldJC8
+2LjdR87/MCVwjHMOXwQfooJNdQXGJAwAr/VL4F7sq7dl+ndOg97W9tCkr92hPLsF
+oLTNJrmPAY5CTKGPYsfUiKsLbfr6hmzM4vPui3PnKISlu7z4TWl8WOWJraR1SOn2
+pw0waZc9BrzIlXSKR19wVOznBmluFBTFtofR9k9b/XleF+gelyQuU7bVCC3mz/ej
+hzL4xJT8UCz+qoHK53icNceBtjIKazd/MD4GFKyzzGDcR2He1oa9c195flwW3o2p
+bUGsITKBQO6n4YqMXQIypAtiEaFTVcyi1LQYw/ojD3s5RWvM8/PP0S9FnGVJOPSO
+isiFcJEjshMfflyhfGjdSvISzaKXBv+JCLlxNjblmCxZKPSFTRsND0ddeLnjNdl3
+C2xXr/nrh6f2cglAEWEGKKLR8/hFGop59JeGS7GJxWfqO4JEEZJ+spzkyoduqIJO
+FCZpb+mkXbalWhUDXd3QubXLY4HfNHJ33kZKFdbuARVirdMEZgS40KLOT7LL2MtD
+QrhgRJftw4LXkuHgxXH3KauDWXWHOssxq0ZIRo7wzLRRN2I0Wu5eptb5rIDSI3Ta
+i0WLkdzkRkhiCQ6bp8jo8Dhlld9pqprDLdMfP/ztObAnj3aCA7SoZlSI0upeUpJq
+ksFhXfDRppBvkZnOSUa0SaiF0gn2ApbbeJHsikZDYA9OpqaRJmghNCkv8/4oN9DJ
+LA1pYU+M5bVonmf54EVqjwxgl7yIOU9kKa8HIGROPqUL0eVAYZwfi6ryA82ZMs2a
+FmncGPjqdVBRD/er9+eNLhr2oN4xGU+/rFutMH+EOG7G8moxMNMJk5KHK4Av1Bz0
+mFDT/WCEP/+mtxSq9iMplXpVP+AycCReuLkq/Vh+Y8BFwyLvzoSytNEAeZo8EMjy
+9hLYzUARePAQmFPLazR8mxeh/eRcxBNPWrWY4BpUv7oaVYx3+lkWbgUtPEQKBwqL
+cYeFZzT2XEwlmoUy7i39hjrX3eyBL/JLH9wcke4+0ASIR9bKAM+auEkVgiY85wC3
+c8uQxvAIwUd8vwRr73YxlNACpagmUGWnsyPo6UbKi599F/fHiD+okXpmWArb5Tya
+m3MLkgLpSepBk2m51Ek2TO7F14sMe+AcuSnFaICYfsDsZwRfy36oFIgrYp3bPKZF
+/UPU7WS4N7YfeCwHtIPKSyhnMMLUHvQzUSHorsVAfievW6fatldszMdKKRz9I+v0
+wVtUOwBB56PPFvihm33nfu1k3F76Dwezw4xMj5SPX/7S5BazDrlh9TWbpeVUEJY1
+9R6EX/LIjmpUishVkf4QZMGlBAD3CHdHN0L0fGkPvBV9bnVwq4NfrkKc/Ppb+6V+
+hHvlpCEAjLNT4bQ0kYcdcbDtBh1Jl38DGCnSrkBs6BpTQBzuSa1+WH17jUy5735g
+H7SRFmqwVDLF5C8St83cS1GxiVdk4hwFQzbmk45QYHucmj3J4gA5qqkLPomf8Rea
+mxqjbP1F294UXGuwOd3NQ2MqD7Csy1yjh9y6hN7hvy4CMsiB2zvkPBlFwV//DWbR
+OXlX77Jh7V9GNP0eMgxhjon6NeAgfsPpvhJ/49HWlOqqoBcc/HDV+fL1AJEQcSDn
+tlbO/j8dtd9kvULm+MCxMQvTWPbM6+aNJeTFw/2PCEquhfDf/QN6WHgSRph/43za
+DlSWK7xSs5dTp77Tu36oLN7agRAyN4H2hpoFs2TeORrgfheaLR67ULb3M2tL+Hgq
+mHrjKLXVRcEDG1I/DPhuD+jdMoBfoxxf3JKn72NWn4j1A/n59nbvtZQdgzrvI+1a
+l1nbl/z45HZUQyNgDshPXTsHRuA+4tp1J8WSk0NjYW47P8ZuolfQMGMVtUS8NAal
+Jk1tqhBhBIpcHucFrON+6gznT5OP+IxUPqHVMzqp5SJDSsgRjTkfQXJHdM7cWKym
+H4/wYx5CmYg8FzD7XN4t8fNqNMUeuVCWv+OYxC4quiEqWy93ijGQnxFdFW9HZNCC
+-----END RSA PRIVATE KEY-----
diff --git a/demo/ssl/root@demo.p12 b/demo/ssl/root@demo.p12
new file mode 100644
index 000000000..889f0b416
Binary files /dev/null and b/demo/ssl/root@demo.p12 differ
diff --git a/demo/ssl/server.ks b/demo/ssl/server.ks
new file mode 100644
index 000000000..cf0d090aa
Binary files /dev/null and b/demo/ssl/server.ks differ
diff --git a/demo/ssl/server.ts b/demo/ssl/server.ts
new file mode 100644
index 000000000..9af5fe41f
Binary files /dev/null and b/demo/ssl/server.ts differ
diff --git a/demo/ssl/ssl.txt b/demo/ssl/ssl.txt
new file mode 100644
index 000000000..95a24ca3f
--- /dev/null
+++ b/demo/ssl/ssl.txt
@@ -0,0 +1,21 @@
+# In demo all key and stores passwords are 'changeit'
+
+# Create CA
+openssl genrsa -des3 -out ca.key 4096
+openssl req -new -x509 -days 365 -key ca.key -out ca.crt
+
+# Tomcat Server
+keytool -genkey -alias tomcat -keyalg RSA -keysize 4096 -keystore server.ks
+keytool -certreq -alias tomcat -keystore server.ks -file tomcat.csr
+openssl x509 -req -set_serial 02 -days 3650 -in tomcat.csr -CA ca.crt -CAkey ca.key -out tomcat.crt
+keytool -import -keystore server.ts -file ca.crt -alias ArgeoDemoCA
+
+# Root User
+#keytool -genkey -alias root@demo -keyalg RSA -keysize 4096 -keystore root@demo.ks
+#keytool -certreq -alias root@demo -keystore root@demo.ks -file root@demo.csr
+
+openssl genrsa -des3 -out root@demo.key 4096 
+openssl req -new -key root@demo.key -out root@demo.csr
+openssl x509 -req -set_serial 03 -days 3650 -in root@demo.csr -CA ca.crt -CAkey ca.key -out root@demo.crt
+
+openssl pkcs12 -export -out root@demo.p12 -inkey root@demo.key -in root@demo.crt -certfile ca.crt
diff --git a/demo/ssl/tomcat.crt b/demo/ssl/tomcat.crt
new file mode 100644
index 000000000..b05dd8c7c
--- /dev/null
+++ b/demo/ssl/tomcat.crt
@@ -0,0 +1,32 @@
+-----BEGIN CERTIFICATE-----
+MIIFdzCCA18CAQIwDQYJKoZIhvcNAQEFBQAwgYsxCzAJBgNVBAYTAkRFMQ8wDQYD
+VQQIDAZCZXJsaW4xDzANBgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFQXJnZW8xEzAR
+BgNVBAsMCkFyZ2VvIERlbW8xFjAUBgNVBAMMDUFyZ2VvIERlbW8gQ0ExHTAbBgkq
+hkiG9w0BCQEWDmRlbW9AYXJnZW8ub3JnMB4XDTEyMDgxMzEzMDQzNVoXDTIyMDgx
+MTEzMDQzNVowdzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UE
+BxMGQmVybGluMQ4wDAYDVQQKEwVBcmdlbzETMBEGA1UECxMKQXJnZW8gRGVtbzEh
+MB8GA1UEAxMYQXJnZW8gRGVtbyBUb21jYXQgU2VydmVyMIICIjANBgkqhkiG9w0B
+AQEFAAOCAg8AMIICCgKCAgEAoF1IzT1815UMzdlvMRkCUy/ISfwArbmGAvv5H1LP
+fPXF+YF6EpjKj74JwHhMGoB1j1BUvem5TeWxszU/mevmFCWvrmO83lBAlSNRX6iJ
+m3np3s2/rrtZg2WUu95ZGkRQ1elPRU9KY99rK+NlJH9X6Y6Bfoi5//OAyeZ+kIxx
+39sYXazAYYS9h+8D1mtSHoSFgLMy73gu4UIeon+GW6PbB+E6kQVlRjumBqLtj6a9
+t59T+coc4UStqmFCuPiZuMvbijS0ZBJxuNcaYATcCIjB/S0Pktfyjgxn3HzCLVtP
+KRskGHHfoxje5QHbH5sE5lEQPMFxuuj5C/9eCKs5+8ob06gNVn4u2SB27mLpafqY
+nJxAhGIqRymZSNwf0Nq7GcUj6OxPCzGG1RBV2Add9YpL4rWAeL1ftdNjRmvDwFpb
+dsY9fO8Oh+sKKsrypQZ0BAHWs+wWVHbgHWHLCv2uky43VRSM3kqBhNcHyc+PWjga
++/5M+dqIyi9onoyrZ/dj+KaS5gS5u5dcpjoweb78r67+hJUw02VzZCXZdZZaadyi
+zTQ8SeGzob47TAgQ15r6PGcSYPhqcEnlu6FoT6IYWh55p1QjAGHmZs3GF93qhwM5
+/9i420gEvqZNegdOTVx+Q2s9VHV7QlMbAKXOaP0degikt5mQPrmmtikAFiwx4/Aw
+Gr8CAwEAATANBgkqhkiG9w0BAQUFAAOCAgEAXEIZ1OpNWguFWdVn5ksTsw/tpm5M
+cTKBleyXNORrtAwZOo9+B60lRjdeOXGt77UAE5O/0EzR1DoUWs4btOHbHQEVNszM
+1GzudWuWawqcDpAaUKaXL0XjQ+dG1apDbq3MbEONkq1AjBtn3gUL4+Q+wFL6+G4Y
+sfAZkws2CQr1j0gTphAkbUDMtxJdOxSZybhTNgi5oShN46NljMvO9hhSbLMKAPrf
+hyEuyznSoGI3/9KVjK7dmmGAI/ieYc8mU1UIyEVUZPoECSBUJ/T7sFilbL6cFAsf
+IJIdvoBt/aW0+uVee0bZ1hrvYMbgj+Z6FzU7OX8mIbj0Sx9WD8kyoDgJjJ5AbVnQ
+XSlFh1WY99XurhokWtphs1Bmpk6c6alRV46NoAZey6c7UK7ugoMM9NNc+xD1+aK2
+k2bRFhu6LTeF5gyV3w9DA25CnXu7qZ6QiZ8Twav4GAPZIsKXqBx8+hEPN7QN9g0Z
+TlmZ0O25CpKRuYMjP6UI5DX3CvTI+UvlEZL5N9apOnTGh9FE3gkmy1I2gaVcuaW6
+HMXaRiMiZNPL/lJx8qgP8j1upiEtbmaL7bxYr1cql2s14YJJyfaoI26D8NGVkYSb
+BWSLhcjcL8TEwZ09r1geL7xodxov5h9KrgctMvcW7s/Co5xw9xIy8ktlanzDmaTV
+UjYW8C1Sk0eMSMM=
+-----END CERTIFICATE-----
diff --git a/demo/ssl/tomcat.csr b/demo/ssl/tomcat.csr
new file mode 100644
index 000000000..cf5521e5d
--- /dev/null
+++ b/demo/ssl/tomcat.csr
@@ -0,0 +1,24 @@
+-----BEGIN NEW CERTIFICATE REQUEST-----
+MIIEvDCCAqQCAQAwdzELMAkGA1UEBhMCREUxDzANBgNVBAgTBkJlcmxpbjEPMA0GA1UEBxMGQmVy
+bGluMQ4wDAYDVQQKEwVBcmdlbzETMBEGA1UECxMKQXJnZW8gRGVtbzEhMB8GA1UEAxMYQXJnZW8g
+RGVtbyBUb21jYXQgU2VydmVyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAoF1IzT18
+15UMzdlvMRkCUy/ISfwArbmGAvv5H1LPfPXF+YF6EpjKj74JwHhMGoB1j1BUvem5TeWxszU/mevm
+FCWvrmO83lBAlSNRX6iJm3np3s2/rrtZg2WUu95ZGkRQ1elPRU9KY99rK+NlJH9X6Y6Bfoi5//OA
+yeZ+kIxx39sYXazAYYS9h+8D1mtSHoSFgLMy73gu4UIeon+GW6PbB+E6kQVlRjumBqLtj6a9t59T
++coc4UStqmFCuPiZuMvbijS0ZBJxuNcaYATcCIjB/S0Pktfyjgxn3HzCLVtPKRskGHHfoxje5QHb
+H5sE5lEQPMFxuuj5C/9eCKs5+8ob06gNVn4u2SB27mLpafqYnJxAhGIqRymZSNwf0Nq7GcUj6OxP
+CzGG1RBV2Add9YpL4rWAeL1ftdNjRmvDwFpbdsY9fO8Oh+sKKsrypQZ0BAHWs+wWVHbgHWHLCv2u
+ky43VRSM3kqBhNcHyc+PWjga+/5M+dqIyi9onoyrZ/dj+KaS5gS5u5dcpjoweb78r67+hJUw02Vz
+ZCXZdZZaadyizTQ8SeGzob47TAgQ15r6PGcSYPhqcEnlu6FoT6IYWh55p1QjAGHmZs3GF93qhwM5
+/9i420gEvqZNegdOTVx+Q2s9VHV7QlMbAKXOaP0degikt5mQPrmmtikAFiwx4/AwGr8CAwEAAaAA
+MA0GCSqGSIb3DQEBBQUAA4ICAQAs7DPJFRFw3drBpZ+cRXVQIybwYHYfKUPZEOGTX+mFgIgp8qfb
+k5IiTZW5JCj3sbskDUfWRcolCpyapUpB2eNej4Fs7Ry1PzwkzIgY1rMlSUnc0oi0JFpYT541RmWP
+o1e1j6+nEbVaRDZ/qk+vgLg/uCpuMwwdXYNOnax9mmCtXKjdIpwKG/WwqtB7ydDS0AszaItvwM5L
+IRAxuM0FteHYc9b5JCS762UpdJcaDTmvBOOShKG7mMSpFFoFlRThE7+kIQYDiV0pUas9odCEAond
+69sOLy9vIdpi6UHB0kEHB5DzEMlkOI5VyuAgsRQXlzxQKyYDS/PZwrR0+aFRq42ErMkmtFrC9kxG
+oDgFRhSHaej34ifM788x1c1oSq/dcy+DwuhaCXgdaTwnMKQVPQo6mHis6WL3DF8jf2EWJMlxvdw3
+0BwNRNSDAS1wN3jO+fJ7amWPa+OmdbYJB68dFNoSDDWW6Se0NJfKm4QBR21ipVlcC2Bk75s3HBRN
+KM8zV7UHQEgZnptatVtUKgiM3qSVbRxHP/miV/rVQpXAhE7z7ixAclx145piueIs0Jqxr4BgQFMd
+Vxeb4brcYk/3nrRrLKgVhVcywMb1V4YYXKuHIKR+cbHEk/lJ35UfEtCOeUKXyLoavbhoA7Ujfeqg
+0jp+vpbTHSFA6BG6ZUhL6FY+oA==
+-----END NEW CERTIFICATE REQUEST-----
diff --git a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
index 525b84db0..57686c888 100644
--- a/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
+++ b/security/modules/org.argeo.security.dao.ldap/META-INF/spring/security-ldap-services.xml
@@ -13,7 +13,7 @@
 		<property name="providers">
 			<list>
 				<ref bean="authByAdapterProvider" />
-<!-- 				<ref bean="preAuthAuthenticationProvider" /> -->
+				<ref bean="preAuthProvider" />
 				<ref bean="anonymousAuthenticationProvider" />
 				<ref bean="rememberMeAuthenticationProvider" />
 				<ref bean="ldapAuthenticationProvider" />
@@ -28,10 +28,16 @@
 		<property name="key" value="${argeo.security.systemKey}" />
 	</bean>
 
-<!-- 	<bean id="preAuthAuthenticationProvider" -->
-<!-- 		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider"> -->
-<!-- 		<description><![CDATA[Pre-authentication]]></description> -->
-<!-- 	</bean> -->
+	<bean id="preAuthProvider"
+		class="org.springframework.security.providers.preauth.PreAuthenticatedAuthenticationProvider">
+		<description><![CDATA[Pre-authentication]]></description>
+		<property name="preAuthenticatedUserDetailsService">
+			<bean id="userDetailsServiceWrapper"
+				class="org.springframework.security.userdetails.UserDetailsByNameServiceWrapper">
+				<property name="userDetailsService" ref="userDetailsManager" />
+			</bean>
+		</property>
+	</bean>
 
 	<bean id="anonymousAuthenticationProvider"
 		class="org.springframework.security.providers.anonymous.AnonymousAuthenticationProvider">
diff --git a/security/plugins/org.argeo.security.ui.rap/plugin.xml b/security/plugins/org.argeo.security.ui.rap/plugin.xml
index 27d151d6f..461cb5948 100644
--- a/security/plugins/org.argeo.security.ui.rap/plugin.xml
+++ b/security/plugins/org.argeo.security.ui.rap/plugin.xml
@@ -51,6 +51,14 @@
             favicon="branding/favicon.ico"
             body="branding/login.html">
       	</branding>
+    	<branding
+			id="org.argeo.security.ui.rap.branding"
+            servletName="clientauth"
+            defaultEntrypointId="org.argeo.security.ui.rap.secureEntryPoint"
+            title="Argeo Web UI"
+            favicon="branding/favicon.ico"
+            body="branding/login.html">
+      	</branding>
     	<branding
 			id="org.argeo.security.ui.rap.branding"
             servletName="public"
diff --git a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
index 233971687..0dd0d173b 100644
--- a/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
+++ b/security/plugins/org.argeo.security.ui.rap/src/main/java/org/argeo/security/ui/rap/SecureEntryPoint.java
@@ -70,6 +70,7 @@ public class SecureEntryPoint implements IEntryPoint {
 		// around too long
 		RWT.getRequest().getSession().setMaxInactiveInterval(loginTimeout);
 
+		// Try to load security context thanks to the session processing filter
 		HttpServletRequest httpRequest = RWT.getRequest();
 		HttpSession httpSession = httpRequest.getSession();
 		Object contextFromSessionObject = httpSession
@@ -140,7 +141,7 @@ public class SecureEntryPoint implements IEntryPoint {
 					return new Integer(result);
 				}
 			});
-			//logout(loginContext, username);
+			// logout(loginContext, username);
 		} finally {
 			display.dispose();
 		}
diff --git a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
index f12f0c804..5d4319222 100644
--- a/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/WEB-INF/security-filters.xml
@@ -9,15 +9,15 @@
 	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
 		<sec:filter-chain-map path-type="ant">
 			<sec:filter-chain pattern="/webdav/**"
-				filters="session,basic,rememberMe,anonymous,exception,interceptor" />
+				filters="x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/remoting/**"
-				filters="session,basic,rememberMe,anonymous,exception,interceptor" />
+				filters="x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/public/**"
-				filters="session,anonymous,exception,interceptorPublic" />
+				filters="anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/pub/**"
-				filters="session,anonymous,exception,interceptorPublic" />
+				filters="anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/j_spring_security_logout"
-				filters="session,logout,exception" />
+				filters="logout,exception" />
 		</sec:filter-chain-map>
 	</bean>
 
@@ -41,12 +41,23 @@
 		</property>
 	</bean>
 
-	<!-- Integrates the authentication information in the http sessions -->
+	<bean id="x509"
+		class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="principalExtractor">
+			<bean
+				class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
+				<property name="subjectDnRegex" value="CN=(.*?)," />
+			</bean>
+		</property>
+	</bean>
+
+	<!-- Integrates the authentication information in the http sessions
 	<bean id="session"
 		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
 		<property name="allowSessionCreation" value="false" />
 	</bean>
-
+ -->
 	<!-- Processes logouts, removing both session informations and the remember-me 
 		cookie from the browser -->
 	<bean id="logout" class="org.springframework.security.ui.logout.LogoutFilter">
diff --git a/server/modules/org.argeo.jackrabbit.webapp/pom.xml b/server/modules/org.argeo.jackrabbit.webapp/pom.xml
index 0837be7e7..2be9e3d1f 100644
--- a/server/modules/org.argeo.jackrabbit.webapp/pom.xml
+++ b/server/modules/org.argeo.jackrabbit.webapp/pom.xml
@@ -38,6 +38,7 @@
 							org.springframework.security,
 							org.springframework.security.providers.anonymous,
 							org.springframework.security.ui.webapp,
+							org.springframework.security.ui.preauth.x509,
 							org.springframework.web.context,
 							org.springframework.web.filter,
 							org.springframework.web.servlet,
diff --git a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
index cfe148bd6..45e5457d9 100644
--- a/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
+++ b/server/modules/org.argeo.server.rap.webapp/WEB-INF/security-filters.xml
@@ -9,10 +9,12 @@
 	<bean id="springSecurityFilterChain" class="org.springframework.security.util.FilterChainProxy">
 		<sec:filter-chain-map path-type="ant">
 			<sec:filter-chain pattern="/ui"
-				filters="session,basic,rememberMe,exception,interceptor" />
+				filters="session,x509,basic,rememberMe,exception,interceptor" />
 			<sec:filter-chain pattern="/basicauth"
-				filters="session,basic,exception,interceptor" />
-			<sec:filter-chain pattern="/node" filters="session,exception,interceptor" />
+				filters="session,x509,basic,exception,interceptor" />
+			<sec:filter-chain pattern="/clientauth"
+				filters="session,x509,exception,interceptor" />
+			<!-- <sec:filter-chain pattern="/node" filters="session,x509,exception,interceptor" /> -->
 			<sec:filter-chain pattern="/public"
 				filters="session,anonymous,exception,interceptorPublic" />
 			<sec:filter-chain pattern="/j_spring_security_logout"
@@ -39,6 +41,17 @@
 		</property>
 	</bean>
 
+	<bean id="x509"
+		class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
+		<property name="authenticationManager" ref="authenticationManager" />
+		<property name="principalExtractor">
+			<bean
+				class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
+				<property name="subjectDnRegex" value="CN=(.*?)," />
+			</bean>
+		</property>
+	</bean>
+
 	<!-- Integrates the authentication information in the http sessions -->
 	<bean id="session"
 		class="org.springframework.security.context.HttpSessionContextIntegrationFilter">
diff --git a/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml b/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
index 4a13fe556..a3ca21b63 100644
--- a/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
+++ b/server/modules/org.argeo.server.rap.webapp/WEB-INF/web.xml
@@ -50,6 +50,10 @@
 		<filter-name>springSecurityFilterChain</filter-name>
 		<url-pattern>/basicauth</url-pattern>
 	</filter-mapping>
+	<filter-mapping>
+		<filter-name>springSecurityFilterChain</filter-name>
+		<url-pattern>/clientauth</url-pattern>
+	</filter-mapping>
 	<filter-mapping>
 		<filter-name>springSecurityFilterChain</filter-name>
 		<url-pattern>/none</url-pattern>
diff --git a/server/modules/org.argeo.server.rap.webapp/pom.xml b/server/modules/org.argeo.server.rap.webapp/pom.xml
index aedce79e8..4dbac3ac5 100644
--- a/server/modules/org.argeo.server.rap.webapp/pom.xml
+++ b/server/modules/org.argeo.server.rap.webapp/pom.xml
@@ -33,6 +33,7 @@
 							org.springframework.security.ui.logout,
 							org.springframework.security.ui.rememberme,
 							org.springframework.security.ui.webapp,
+							org.springframework.security.ui.preauth.x509,
 							org.springframework.security.userdetails,
 							org.springframework.security.util,
 							org.springframework.security.vote,
diff --git a/server/modules/org.argeo.server.tomcat/conf/server.xml b/server/modules/org.argeo.server.tomcat/conf/server.xml
index 14c4b9ebc..2e98917a3 100644
--- a/server/modules/org.argeo.server.tomcat/conf/server.xml
+++ b/server/modules/org.argeo.server.tomcat/conf/server.xml
@@ -1,150 +1,38 @@
 <?xml version='1.0' encoding='utf-8'?>
-	<!--
-		Licensed to the Apache Software Foundation (ASF) under one or more
-		contributor license agreements. See the NOTICE file distributed with
-		this work for additional information regarding copyright ownership.
-		The ASF licenses this file to You under the Apache License, Version
-		2.0 (the "License"); you may not use this file except in compliance
-		with the License. You may obtain a copy of the License at
-
-		http://www.apache.org/licenses/LICENSE-2.0 Unless required by
-		applicable law or agreed to in writing, software distributed under the
-		License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
-		CONDITIONS OF ANY KIND, either express or implied. See the License for
-		the specific language governing permissions and limitations under the
-		License.
-	-->
-	<!--
-		Note: A "Server" is not itself a "Container", so you may not define
-		subcomponents such as "Valves" at this level. Documentation at
-		/docs/config/server.html
-	-->
 <Server port="8005" shutdown="SHUTDOWN">
-
 	<!--APR library loader. Documentation at /docs/apr.html -->
-	<Listener className="org.apache.catalina.core.AprLifecycleListener"
-		SSLEngine="on" />
-	<!--
-		Initialize Jasper prior to webapps are loaded. Documentation at
-		/docs/jasper-howto.html
-	-->
+	<!-- <Listener className="org.apache.catalina.core.AprLifecycleListener" 
+		SSLEngine="on" /> -->
+	<!-- Initialize Jasper prior to webapps are loaded. -->
 	<Listener className="org.apache.catalina.core.JasperListener" />
-	<!--
-		JMX Support for the Tomcat server. Documentation at
-		/docs/non-existent.html
-	-->
-	<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" />
-	<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
+	<!-- JMX -->
+	<!-- <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener" 
+		/> <Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" 
+		/> -->
 
-
-	<!--
-		A "Service" is a collection of one or more "Connectors" that share a
-		single "Container" Note: A "Service" is not itself a "Container", so
-		you may not define subcomponents such as "Valves" at this level.
-		Documentation at /docs/config/service.html
-	-->
 	<Service name="Catalina">
-
-		<!--
-			The connectors can use a shared executor, you can define one or more
-			named thread pools
-		-->
-		<!--
-			<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
-			maxThreads="150" minSpareThreads="4"/>
-		-->
-
-
-		<!--
-			A "Connector" represents an endpoint by which requests are received
-			and responses are returned. Documentation at : Java HTTP Connector:
-			/docs/config/http.html (blocking & non-blocking) Java AJP Connector:
-			/docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define
-			a non-SSL HTTP/1.1 Connector on port 8080
-		-->
-		<Connector port="${argeo.server.port.http}" protocol="HTTP/1.1"
-			connectionTimeout="20000" redirectPort="${argeo.server.port.https}" />
-		<!-- A "Connector" using the shared thread pool-->
-		<!--
-			<Connector executor="tomcatThreadPool" port="8080"
-			protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443" />
-		-->
-		<!--
-			Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the
-			JSSE configuration, when using APR, the connector should be using the
-			OpenSSL style configuration described in the APR documentation
-		-->
-		<!--
-			<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
-			maxThreads="150" scheme="https" secure="true" clientAuth="false"
-			sslProtocol="TLS" />
-		-->
-
-		<!-- Define an AJP 1.3 Connector on port 8009 -->
+		<Executor name="tomcatThreadPool" namePrefix="catalina-exec-"
+			maxThreads="150" minSpareThreads="4" />
+
+		<!-- HTTP -->
+		<Connector executor="tomcatThreadPool" port="${argeo.server.port.http}"
+			protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="${argeo.server.port.https}" />
+		<!-- HTTPS -->
+		<!-- <Connector port="${argeo.server.port.https}" protocol="HTTP/1.1"
+			SSLEnabled="true" scheme="https" secure="true" sslProtocol="TLS"
+			keystoreFile="${argeo.server.keystoreFile}" keystoreType="JKS"
+			keystorePass="${argeo.server.keystorePass}" truststoreFile="${argeo.server.truststoreFile}"
+			truststoreType="JKS" truststorePass="${argeo.server.truststorePass}"
+			clientAuth="${argeo.server.https.clientAuth}" /> -->
+		<!-- AJP (for proxying with httpd) -->
 		<Connector port="${argeo.server.port.ajp}" protocol="AJP/1.3"
 			redirectPort="${argeo.server.port.https}" />
 
-
-		<!--
-			An Engine represents the entry point (within Catalina) that processes
-			every request. The Engine implementation for Tomcat stand alone
-			analyzes the HTTP headers included with the request, and passes them
-			on to the appropriate Host (virtual host). Documentation at
-			/docs/config/engine.html
-		-->
-
-		<!--
-			You should set jvmRoute to support load-balancing via AJP ie :
-			<Engine name="Catalina" defaultHost="localhost" jvmRoute="jvm1">
-		-->
 		<Engine name="Catalina" defaultHost="localhost">
-
-			<!--
-				For clustering, please take a look at documentation at:
-				/docs/cluster-howto.html (simple how to) /docs/config/cluster.html
-				(reference documentation)
-			-->
-			<!--
-				<Cluster className="org.apache.catalina.ha.tcp.SimpleTcpCluster"/>
-			-->
-
-			<!--
-				The request dumper valve dumps useful debugging information about
-				the request and response data received and sent by Tomcat.
-				Documentation at: /docs/config/valve.html
-			-->
-			<!--
-				<Valve className="org.apache.catalina.valves.RequestDumperValve"/>
-			-->
-
-
-			<!--
-				Define the default virtual host Note: XML Schema validation will not
-				work with Xerces 2.2.
-			-->
 			<Host name="localhost" appBase="webapps" unpackWARs="true"
 				autoDeploy="true" xmlValidation="false" xmlNamespaceAware="false"
 				workDir="work">
-				<!--
-					SingleSignOn valve, share authentication between web applications
-					Documentation at: /docs/config/valve.html
-				-->
-				<!--
-					<Valve className="org.apache.catalina.authenticator.SingleSignOn"
-					/>
-				-->
-
-				<!--
-					Access log processes all example. Documentation at:
-					/docs/config/valve.html
-				-->
-				<!--
-					<Valve className="org.apache.catalina.valves.AccessLogValve"
-					directory="logs" prefix="localhost_access_log." suffix=".txt"
-					pattern="common" resolveHosts="false"/>
-				-->
-
 			</Host>
 		</Engine>
 	</Service>
-</Server>
+</Server>
\ No newline at end of file
diff --git a/server/modules/org.argeo.server.tomcat/tomcat.properties b/server/modules/org.argeo.server.tomcat/tomcat.properties
index f79b2dec4..67f0455eb 100644
--- a/server/modules/org.argeo.server.tomcat/tomcat.properties
+++ b/server/modules/org.argeo.server.tomcat/tomcat.properties
@@ -1,3 +1,10 @@
 argeo.server.port.http=7070
 argeo.server.port.https=7443
 argeo.server.port.ajp=7009
+
+# Used only when SSL is activated (uncommented in server.xml)
+argeo.server.keystoreFile=../../../../ssl/server.ks
+argeo.server.keystorePass=changeit
+argeo.server.truststoreFile=../../../../ssl/server.ts
+argeo.server.truststorePass=changeit
+argeo.server.https.clientAuth=want
\ No newline at end of file