I have a scenario where I have few rest web services, of which few need to enforce mutual ssl and few should just have one way ssl, here its same web application.

Is that possible in tomcat/Spring based application?

Sorry for replying late, yes I did this, not sure if the best way but kind of a hack.

Step 1: Have one way SSL set with clientAuth=want in your tomcat. This will fix your scenario where you want to have one way ssl for all the webservices accept that one which needs extra/mutual authentication.

Step 2: Now for the web service which needs mutual ssl. Write a servlet filter and for that particular web service url check the incoming http request for certificates. loop through the certs found in the request and match it with the certs from your trust store. if you found the match let the request flow proceed, if not return an exception as SSL cert not found.

X509Certificate[] certificates = (X509Certificate[]) request
                    .getAttribute("javax.servlet.request.X509Certificate");

The above code will give you array of cert in your request.

Note: Make sure your SSL configuration is correct or else the certificates variable stays null.

If you can use different hosts (assuming the client and server support SNI) or ports, then this should be no problem.

Unfortunately, you cannot vary the SSL configuration based on the URL's path since it is only available after the SSL connection has been established. Your only option in that case would be to make the client certificate optional and ignore any certificates sent for the URLs that do not require it.

In either case, you will almost certainly be better off letting something like Nginx or Apache httpd handle the SSL part and pass any data about the client's certificate (or lack thereof) to your Spring / Tomcat app in an HTTP header.

You can use TLS ("one-way") for your whole site and then only demand a client certificate when authentication is required. Set your TLS <Connector>'s clientAuth attribute to want and set your auth-method in web.xml to be CLIENT-CERT. That ought to do it.