In your web.xml... <security-constraint> <web-resource-collection> <web-resource-name>MySecurityRestriction</web-resource-name> <description>Protect the resource.</description> <url-pattern>/ServletUrlPattern</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <description>Authorized Users Group</description> <!-- no role names means no authentication required for this resource --> <!-- <role-name>manager</role-name> <role-name>users</role-name> --> </auth-constraint> <user-data-constraint> <!-- transport-guarantee must be one of NONE, INTEGRAL, or CONFIDENTIAL --> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint>
Google for "transport-guarantee web.xml" on the web. Simulating a logout in some servlet code... ... HttpSession session = request.getSession(false); /* if there is any information in the session that you want to keep (such as a locale override), grab a reference to it here... */ if(session != null) session.invalidate(); session = request.getSession(true); /* restore stuff into the session that you wanted here... */ ... Sean Dockery [EMAIL PROTECTED] Certified Java Web Component Developer Certified Delphi Programmer SBD Consultants http://www.sbdconsultants.com ----- Original Message ----- From: "Tony Dahbura" <[EMAIL PROTECTED]> To: "Tomcat Users List" <[EMAIL PROTECTED]> Sent: Tuesday, February 11, 2003 03:11 Subject: help with client certificates > I am trying to configure my web application within tomcat to require > client certificates for certain areas. I am not concerned about what > the certificate contains-only that it is a valid certificate (not > expired). > > I have the ssl piece working and when I use the connector option > clientAuth="true" this makes my whole ssl session require > certificates-which is not what I want. > > How can I configure the web.xml file to require certificates for only > certain servlets/urls of the webapp? > > Would like the same functionality of clientAuth="true" (which just > checks the validity of the certifiicate but does not try to verify or > see if the user is in a list somewhere) but at the url/servlet level > within the web.xml for the web app. > > > Another quick question is how can one force the user to have to select > the cert again once inside the web application (simulate a logout). > Does invalidating the session force this? Do not want the user to have > to quit out of the browser. > > > Thanks, > Tony > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]