Some people use Apache's FakeBasicAuth SSL option to let them grant access to users authenticated using client SSL certificates using the normal Apache password mechanism.

When using this system to protect access to GRIA running inside tomcat, remember that you'll need to create a user in your tomcat-users.xml file whose name is the subject of the certificate. e.g.

<user username="/CN=James/emailAddress=james@gria.org" password="password" roles="gria-basic-app-services_admin"/>

Be extra careful not to allow direct access to tomcat (without going via Apache), because the FakeBasicAuth password is rather easy to guess!