Hi,
We have a customer who is introducing chip cards with client-certificates for single sign on. Because of this I have to change a web-application we provided. The application implements its own security mechanisms and uses roles (defined for every action in struts-config.xml) and roles in struts-menu to control access to offered functionalities.
If I understand things correctly, to support client-certificates I need to define (beside SSL which is already supported) in my web.xml something like:
<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>
What happens to users who DO NOT have a certificate? In my program code I would be able to present a login-page and perform a different (second) method of authentication. If I understand things right, the above tag FORCES users to present a certificate to Tomcat (or whatever server) and fails otherwise.
How can this be solved? I should implement something like:
Is a certificate there? If yes read it and continue in the web app. If not, open a login screen and allow a username / password authentication. Once the authentication was successful I read the roles from a database server and everything should work as it does now (without client certificates)
Many thanks for your help
Tom
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
