Hello Jesse,
Thanks for you input. I will try to get more info from the Tomcat
userlist regarding which version supports what.
Tom
Jesse Alexander (KBSA 21) wrote:
Hi
With a newer Tomcat you might use a solution similar to what I have already seen
in a WebLogic-installation:
Several security-providers were created and configured. The first one
to able to authenticate the user does the job. Therefor the first would
be an authenticator that can handle the chipcard-certificates, afterwards
you could define a standard handler that can handle a basic-authentication.
This can also be done only for the developer's workstation.
In your app you would then use just the J2EE-principal and roles.
I think it should be possible from TC5 on upward
hth
Alexander
-Original Message-
From: Tom Bednarz [mailto:[EMAIL PROTECTED]
Sent: Monday, April 18, 2005 11:44 AM
To: Struts Users Mailing List
Subject: User Certificates and application managed security -- possible??
Hi,
We have a customer who is introducing chip cards with
client-certificates for single sign on. Because of this I have to change
a web-application we provided. The application implements its own
security mechanisms and uses roles (defined for every action in
struts-config.xml) and roles in struts-menu to control access to offered
functionalities.
If I understand things correctly, to support client-certificates I need
to define (beside SSL which is already supported) in my web.xml
something like:
CLIENT-CERT
What happens to users who DO NOT have a certificate? In my program code
I would be able to present a login-page and perform a different (second)
method of authentication. If I understand things right, the above tag
FORCES users to present a certificate to Tomcat (or whatever server) and
fails otherwise.
How can this be solved? I should implement something like:
Is a certificate there? If yes read it and continue in the web app. If
not, open a login screen and allow a username / password authentication.
Once the authentication was successful I read the roles from a database
server and everything should work as it does now (without client
certificates)
Many thanks for your help
Tom
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]