-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Muhammad,
On 3/8/2011 10:07 AM, Sajjad Awan wrote: > I have an application running in tomcat 7 developed using spring+ > struts. Great! > I have secured this application using verisign server certificate Note that you have only secured the communication between the client and the server: you could still have security vulnerabilities that could be exploited over a secure (SSL) connection. > but now i want to add some rules to also authenticate user on base of > client certificate if they hit on some particular url pattern. You will need to configure your SSL connector to request client authentication (depending on your needs, you may want to use the "want" of "true" settings for the "clientAuth" property). See http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html for more details. I would read the entire page, taking special care to read the sections that mention "client authentication". After you set that up, you'll want to configure your webapp's WEB-INF/web.xml to use CLIENT-CERT authentication. Set up your security-constraint sections as with any other kind of authentication. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk12VG4ACgkQ9CaO5/Lv0PDEOwCfXEbuwucHyBQIfJcr9vTRazSP sUwAn2WkVAag12tUWtjcbJJ/5J8Dz6iq =y+CT -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
