tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Recognizing certificate removal (SmartCard)
Date Tue, 04 Dec 2012 20:07:49 GMT
Hash: SHA1


On 12/4/12 2:47 PM, Will Nordmeyer wrote:
> Thanks for the quick response and the thoughts.  a 5 minute
> timeout wouldn't be acceptable in our environment - theory being,
> if user A pulls his smart card out (but didn't log out of the app),
> and user B goes up to the machine within 5 minutes, he may have
> access to someone else's account in the application.  So I was
> really hoping there was some way to trigger the session to expire.

The only thing I can think of would be to have the web browser
complicit in the deal: if the browser can be configured to expire the
SSL session when the card is removed, then that is really the only
solution that will be truly secure.

> I'll keep looking, or suggest to my dev team that they write a
> little app that queries the card regularly and as soon as the card
> can't be found, logs out.

Is it a valid use case to have the computer itself logged-in when the
card is removed? For instance, if you configured the machine to
auto-lock when the card was removed, then you might be able to do
other things, too (like kill the browser, which should kill the SSL

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with undefined -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message