Jeremy, I think you are merging two separate issues of authentication and encryption.
You can specify that the conatiner use client certificates as a means to authenticate a user by setting the auth-method element to "CLIENT-CERT". This means that when a user tries to access a restricted resource as set up in you web.xml using security-constraint elements, the container will attempt to authenticate user by authenticating a client certificate in request header. As a separate issue, you can encrypt the transport of data using "two-way" SSL. Which requires a client certificate to be checked by SSL service. This is done by setting a transport-guarantee element to "CONFIDENTIAL" in a user-data-constraint element in web.xml. I would think what you want to do is... 1) secure some url's (i.e. resources) using "CLIENT-CERT" authentication method. 2) then add transport garantees for those secured resources of type "CONFIDENTIAL". does that help? cgriffith View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3955897#3955897 Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3955897 Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ JBoss-user mailing list JBoss-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/jboss-user
