tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Dockery" <s...@sbdconsultants.com>
Subject Re: help with client certificates
Date Tue, 11 Feb 2003 15:54:35 GMT
In your web.xml...

<security-constraint>
<web-resource-collection>
  <web-resource-name>MySecurityRestriction</web-resource-name>
  <description>Protect the resource.</description>
  <url-pattern>/ServletUrlPattern</url-pattern>
  <http-method>GET</http-method>
  <http-method>POST</http-method>
</web-resource-collection>
<auth-constraint>
  <description>Authorized Users Group</description>
<!-- no role names means no authentication required for this resource -->
<!--
  <role-name>manager</role-name>
  <role-name>users</role-name>
-->
</auth-constraint>
<user-data-constraint>
<!-- transport-guarantee must be one of NONE, INTEGRAL, or CONFIDENTIAL -->
  <transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>

Google for "transport-guarantee web.xml" on the web.



Simulating a logout in some servlet code...

...

HttpSession session = request.getSession(false);

/*
  if there is any information in the session that you want to keep (such as
  a locale override), grab a reference to it here...
*/

if(session != null)
  session.invalidate();

session = request.getSession(true);

/*
  restore stuff into the session that you wanted here...
*/

...



Sean Dockery
sean@sbdconsultants.com
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants
http://www.sbdconsultants.com

----- Original Message ----- 
From: "Tony Dahbura" <tony@loudcloud.com>
To: "Tomcat Users List" <tomcat-user@jakarta.apache.org>
Sent: Tuesday, February 11, 2003 03:11
Subject: help with client certificates


> I am trying to configure my web application within tomcat to require 
> client certificates for certain areas.  I am not concerned about what 
> the certificate contains-only that it is a valid certificate (not 
> expired).  
> 
> I have the ssl piece working and when I use the connector option 
> clientAuth="true" this makes my whole ssl session require 
> certificates-which is not what I want.  
> 
> How can I configure the web.xml file to require certificates for only 
> certain servlets/urls of the webapp?  
> 
> Would like the same functionality of clientAuth="true" (which just 
> checks the validity of the certifiicate but does not try to verify or 
> see if the user is in a list somewhere) but at the url/servlet level 
> within the web.xml for the web app.
> 
> 
> Another quick question is how can one force the user to have to select 
> the cert again once inside the web application (simulate a logout). 
>  Does invalidating the session force this?  Do not want the user to have 
> to quit out of the browser.
> 
> 
> Thanks,
> Tony
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message