You simply need to have two security-constraints: One looks like below, and the other has <url-pattern>/*</url-pattern>, and doesn't have an auth-constraint.
<[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application. I put the following in the web.xml <security-constraint> <web-resource-collection> <web-resource-name>certificates</web-resource-name> <url-pattern>/certificates/add.action</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page? Thanks in advance. regards, fabian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
