On Mon, 16 Aug 2004 09:58:04 -0300 [EMAIL PROTECTED] wrote > I need help to configure a secure application. > I'm trying to request a client certificate in one page only (the rest should > be accesible without presenting a certificate) and force to use SSL in the > entire application. > > I put the following in the web.xml > > <security-constraint> > <web-resource-collection> > <web-resource-name>certificates</web-resource-name> > <url-pattern>/certificates/add.action</url-pattern> > <http-method>GET</http-method> > <http-method>POST</http-method> > </web-resource-collection> > <auth-constraint> > <role-name>*</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > <login-config> > <auth-method>CLIENT-CERT</auth-method> > </login-config> > > > If I add a new url pattern, this page will request client certificate too. > How can I force to use SSL without requiring a client certificate but still > require it in a specific page?
I haven't taken the time to analyze your <security-constraint/>, but my impression is that ssl can't really function without certificates. It might be possible to pre-supply a (fake) client certificate, but I'm not sure that would buy you anything. If the client needs a certificate, it would be best to supply the client with (a real) one (even if only self-certified). If the client doesn't know what to do with a certificate, how would it know what to do with the encrypted streams? -- Joel <[EMAIL PROTECTED]> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]