tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Recognizing certificate removal (SmartCard)
Date Tue, 04 Dec 2012 20:07:49 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Will,

On 12/4/12 2:47 PM, Will Nordmeyer wrote:
> Thanks for the quick response and the thoughts.  a 5 minute
> timeout wouldn't be acceptable in our environment - theory being,
> if user A pulls his smart card out (but didn't log out of the app),
> and user B goes up to the machine within 5 minutes, he may have
> access to someone else's account in the application.  So I was
> really hoping there was some way to trigger the session to expire.

The only thing I can think of would be to have the web browser
complicit in the deal: if the browser can be configured to expire the
SSL session when the card is removed, then that is really the only
solution that will be truly secure.

> I'll keep looking, or suggest to my dev team that they write a
> little app that queries the card regularly and as soon as the card
> can't be found, logs out.

Is it a valid use case to have the computer itself logged-in when the
card is removed? For instance, if you configured the machine to
auto-lock when the card was removed, then you might be able to do
other things, too (like kill the browser, which should kill the SSL
session).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEARECAAYFAlC+WBUACgkQ9CaO5/Lv0PBmeACeN5Y/m0G73Mplzufsys70uZPZ
EsoAn0Lh/cuM4vtC6Y5B8QekaDXff7eE
=mSK7
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message