I would recommend placing Apache in front of Tomcat. You can also use mod_security on Apache to further lock down your application. I have found that if you want security, do not use Tomcat by itself. I never liked the idea of placing keystore passwords in XML files. At least Apache prompts you for a password when it starts up. As far as authenticating users based on their key(s), you would have to enforce mutually authenticated SSL, get the certificate and validate it against a CA inside of Tomcat. This all is fairly easy to do.
On 10/14/05, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > Hello! > I am a newbie to Tomcat. > I have configured Tomcat as a standalone web server for HTTP and HTTPS. > and now I am trying to develop a secure aplication (using SSL) which will > do user authentication and perform user specific actions. > > I need some help/tutorial (JAVA) which can guide me to authneticate user > using symmetric keys. For instance how to generate/exchange symmetric key > and how to authenticate user etc. > > Thanks a lot in advance > > Jawwad > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >