Sean: This matches my xml file to a tea except I also have: <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>
The problem I am trying to solve is the fact that I do not have any role-names. I need to have the application request a certificate from the user when they hit a servlet and just accept it. I basically want to blindly let a user in but require them to present a certificate. The purpose of the application I am writing needs to access data within the certificate and I do not know who the users are until they present the certificate and I can grab some data from it. I need to simulate the actions of the clientAuth="true" on a connector factory (it blindly lets you in but forces a certificate to present). Reason this cannot be used is some of the application needs the cert and some does not....... Hope this explains it! Tony Sean Dockery wrote: > In your web.xml... > > <security-constraint> > <web-resource-collection> > <web-resource-name>MySecurityRestriction</web-resource-name> > <description>Protect the resource.</description> > <url-pattern>/ServletUrlPattern</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <description>Authorized Users Group</description> > <!-- no role names means no authentication required for this resource --> > <!-- > <role-name>manager</role-name> > <role-name>users</role-name> > --> > </auth-constraint> > <user-data-constraint> > <!-- transport-guarantee must be one of NONE, INTEGRAL, or CONFIDENTIAL --> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > Google for "transport-guarantee web.xml" on the web. > > Simulating a logout in some servlet code... > > ... > > HttpSession session = request.getSession(false); > > /* > if there is any information in the session that you want to keep (such as > a locale override), grab a reference to it here... > */ > > if(session != null) > session.invalidate(); > > session = request.getSession(true); > > /* > restore stuff into the session that you wanted here... > */ > > ... > > Sean Dockery > [EMAIL PROTECTED] > Certified Java Web Component Developer > Certified Delphi Programmer > SBD Consultants > http://www.sbdconsultants.com > > ----- Original Message ----- > From: "Tony Dahbura" <[EMAIL PROTECTED]> > To: "Tomcat Users List" <[EMAIL PROTECTED]> > Sent: Tuesday, February 11, 2003 03:11 > Subject: help with client certificates > > > I am trying to configure my web application within tomcat to require > > client certificates for certain areas. I am not concerned about what > > the certificate contains-only that it is a valid certificate (not > > expired). > > > > I have the ssl piece working and when I use the connector option > > clientAuth="true" this makes my whole ssl session require > > certificates-which is not what I want. > > > > How can I configure the web.xml file to require certificates for only > > certain servlets/urls of the webapp? > > > > Would like the same functionality of clientAuth="true" (which just > > checks the validity of the certifiicate but does not try to verify or > > see if the user is in a list somewhere) but at the url/servlet level > > within the web.xml for the web app. > > > > > > Another quick question is how can one force the user to have to select > > the cert again once inside the web application (simulate a logout). > > Does invalidating the session force this? Do not want the user to have > > to quit out of the browser. > > > > > > Thanks, > > Tony > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] -- Tony Dahbura Deployment Director Opsware Business Practice EDS Inc. 13900 Lincoln Park Drive Suite 405/WH-OPS Herndon, VA 20171 voice: 703.742.1280 fax: 703.742.1163 [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
