I recently configured tomcat 6 with SSL and client authentication, but the only way I could do it was modifying server configuration files (web.xml, server.xml). But as I don't have full control over the deployment server, I would like to configure everything just for some pages or url-patterns of my application without modifying the main configuration files.

For example: Main server:

• Application1 -> HTTP
• Application2 -> HTTP
• MyApplication -> HTTPS

If somebody knows how to do it, please tell me.

The only way to get https going is to write the appropriate connector on the server.xml file under the <service> tag. Once you setup the connector you can access all applications in the server with http or https. The only difference is what connector gets used. Typically the connectors for http and https look like these:

<Connector port="80" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           redirectPort="443"
           URIEncoding="UTF-8" compression="on"/>

<Connector port="443" protocol="HTTP/1.1"
           maxThreads="150" connectionTimeout="20000"
           SSLEnabled="true" scheme="https" secure="true"
           keystoreFile="conf/.keystore"
           keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"
           URIEncoding="UTF-8" compression="on"/>

You can then force your application to always use https by adding the transport-guarantee tag to web.xml which ends up something like this:

<security-constraint>
    <web-resource-collection>
        <web-resource-name>Administrators</web-resource-name>
        <url-pattern>/*</url-pattern>
    </web-resource-collection>
    <auth-constraint>
        <role-name>Administrators</role-name>
    </auth-constraint>
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

You can change the transport-guarantee for the different web resources you define. Thus allowing you to protect certain parts of the site and not others.

At the very end having the connector in server.xml does not force you yo use https for all applications. It only allows the use of the https connector.

In addition to @rmarimon's answer, If you dont want to change server.xml, you would have to write a Filter to check for your application URLs and redirect back to http/https as appropriate.

However, a Filter would still require a definition and <filter-mapping> in web.xml