tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Dockery" <>
Subject Re: help with client certificates
Date Tue, 11 Feb 2003 15:54:35 GMT
In your web.xml...

  <description>Protect the resource.</description>
  <description>Authorized Users Group</description>
<!-- no role names means no authentication required for this resource -->
<!-- transport-guarantee must be one of NONE, INTEGRAL, or CONFIDENTIAL -->

Google for "transport-guarantee web.xml" on the web.

Simulating a logout in some servlet code...


HttpSession session = request.getSession(false);

  if there is any information in the session that you want to keep (such as
  a locale override), grab a reference to it here...

if(session != null)

session = request.getSession(true);

  restore stuff into the session that you wanted here...


Sean Dockery
Certified Java Web Component Developer
Certified Delphi Programmer
SBD Consultants

----- Original Message ----- 
From: "Tony Dahbura" <>
To: "Tomcat Users List" <>
Sent: Tuesday, February 11, 2003 03:11
Subject: help with client certificates

> I am trying to configure my web application within tomcat to require 
> client certificates for certain areas.  I am not concerned about what 
> the certificate contains-only that it is a valid certificate (not 
> expired).  
> I have the ssl piece working and when I use the connector option 
> clientAuth="true" this makes my whole ssl session require 
> certificates-which is not what I want.  
> How can I configure the web.xml file to require certificates for only 
> certain servlets/urls of the webapp?  
> Would like the same functionality of clientAuth="true" (which just 
> checks the validity of the certifiicate but does not try to verify or 
> see if the user is in a list somewhere) but at the url/servlet level 
> within the web.xml for the web app.
> Another quick question is how can one force the user to have to select 
> the cert again once inside the web application (simulate a logout). 
>  Does invalidating the session force this?  Do not want the user to have 
> to quit out of the browser.
> Thanks,
> Tony
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message