The mod_ssl module for Apache has support for this type of config, though: http://www.modssl.org/docs/2.8/ssl_howto.html#ToC8
HTH (or prompts another answer),
Jon
[EMAIL PROTECTED] wrote:
I need help to configure a secure application. I'm trying to request a client certificate in one page only (the rest should be accesible without presenting a certificate) and force to use SSL in the entire application.
I put the following in the web.xml
<security-constraint> <web-resource-collection> <web-resource-name>certificates</web-resource-name> <url-pattern>/certificates/add.action</url-pattern> <http-method>GET</http-method> <http-method>POST</http-method> </web-resource-collection> <auth-constraint> <role-name>*</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>
If I add a new url pattern, this page will request client certificate too. How can I force to use SSL without requiring a client certificate but still require it in a specific page?
Thanks in advance.
regards, fabian
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]