The question is this: If we require a client certificate from visitors in order to log them in, how can we also redirect certificate-less visitors to an error page (where we could explain that certs are required). It seems that our X509 check results in tomcat sending an http error 42 to the browser with words to the affect of "don't come back here without a certificate!". This is normally exactly what we want as the browser then prompts the visitor for a certificate - but for those without certificates all they see is the error message - which is completely mis-rendered by most browsers. (IE7 and Opera9 both say "check your internet connection"!)
Of course, 99% of the time this is not a problem. But when we get new colleagues and they try to access our intranet apps without a certificate they currently just get the impression that there are networking issues between them and us - instead of being guided to our CA to get a cert.
The only solution I can think of is to provide a vanilla landing page which states the certificate requirement, and provides a hyperlink to start the authentication process. Its not pretty though, as it leads to one extra mouse click per logon, every time.
Cheers Andy -- Andy Cowling | UK Core IT Interactive Data Managed Solutions Ltd ------------------------------------------------------------------------------------------------------------------------------- Suite 1101, Eagle Tower | Montpellier Drive | Cheltenham GL50 1TA | UK Tel: +44 (0)1242 6941 15 | Fax: +44 (0)1242 6941 01 [email protected] http://www.interactivedata-ms.com <http://www.interactivedata-ms.com/>This message (including any files transmitted with it) may contain confidential and/or proprietary information, is the property of Interactive Data Corporation and/or its subsidiaries, and is directed only to the addressee(s). If you are not the designated recipient or have reason to believe you received this message in
error, please delete this message from your system and notify the senderimmediately. An unintended recipient's disclosure, copying, distribution, or
use of this message or any attachments is prohibited and may be unlawful.Interactive Data (Europe) Ltd Registered No. 949387 England Registered Office:
Fitzroy House 13-17 Epworth Street. London. EC2A 4DL
smime.p7s
Description: S/MIME Cryptographic Signature
