No. I was talking about uploading a file through the HTML file upload. "Tony Dahbura" <[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > Thanks Sean. I am not sure how to have them upload their cert through a form > upload. Is there a standard API (works in most browsers to cause this?) > > I remember netscape had a javascript call to do form signing..... > > Tony > > > Sean Dockery wrote: > > > With regard to providing a certificate to the web site, but not > > authenticating per se: > > > > With regard to writing your own custom realm, it seems reasonable--but I > > would not have thought something like this would be so difficult. > > > > Instead of having CLIENT-CERT authentication, you might consider simply > > having users submit their certificates through a form upload. It might > > avoid some of the problems that you're facing. > > > > With regard to logging out a user: > > > > The method that I presented works for FORM authentication only, as BASIC, > > DIGEST, and CLIENT-CERT deal with (usually) readily available credentials. > > That, Internet Explorer and Netscape will remember usernames and passwords > > and continue to use the same authentication information until it > > fails--before prompting you for a new username and password. I would > > speculate that they behave in the same manner with respect to a certificate > > credential. I'm not sure how to get browsers to reset their sessions on the > > client-side. > > > > ----- Original Message ----- > > From: "Tony Dahbura" <[EMAIL PROTECTED]> > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > Sent: Tuesday, February 11, 2003 16:37 > > Subject: Re: help with client certificates > > > > > That is correct! It is prompting me for my certificate it is just telling > > the > > > following on a tomcat error page: > > > > > > type Status report > > > > > > message Access to the requested resource has been denied > > > > > > description Access to the specified resource (Access to the requested > > resource > > > has been denied) has been forbidden. > > > > > > > > > I am thinking I may need to write a custom realm module that takes a > > certificate > > > and just assigns a dummy role to any user. Little bit convoluted to get > > this > > > done.....? > > > > > > > > > The second thing I am trying to do is logout the user (once they come in > > with > > > their cert). Doing a session.invalidate() does not cause the browser to > > > reprompt the user for their certificate information upon rehitting the > > site-was > > > wondering how to do that as well. > > > > > > Tony > > > > > > > > > Sean Dockery wrote: > > > > > > > Let me see if I understand what problem you are experiencing... > > > > > > > > By not having role-names, CLIENT-CERT authentication is not being > > enforced? > > > > Is that what you mean? > > > > > > > > Sean Dockery > > > > [EMAIL PROTECTED] > > > > Certified Java Web Component Developer > > > > Certified Delphi Programmer > > > > SBD Consultants > > > > http://www.sbdconsultants.com > > > > > > > > ----- Original Message ----- > > > > From: "Tony Dahbura" <[EMAIL PROTECTED]> > > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > > Sent: Tuesday, February 11, 2003 10:57 > > > > Subject: Re: help with client certificates > > > > > > > > > Sean: > > > > > This matches my xml file to a tea except I also have: > > > > > <login-config> > > > > > <auth-method>CLIENT-CERT</auth-method> > > > > > </login-config> > > > > > > > > > > The problem I am trying to solve is the fact that I do not have any > > > > > role-names. I need to have the application request a certificate from > > the > > > > user > > > > > when they hit a servlet and just accept it. I basically want to > > blindly > > > > let a > > > > > user in but require them to present a certificate. The purpose of the > > > > > application I am writing needs to access data within the certificate > > and I > > > > do > > > > > not know who the users are until they present the certificate and I > > can > > > > grab > > > > > some data from it. > > > > > > > > > > I need to simulate the actions of the clientAuth="true" on a connector > > > > factory > > > > > (it blindly lets you in but forces a certificate to present). Reason > > this > > > > > cannot be used is some of the application needs the cert and some does > > > > > not....... > > > > > > > > > > Hope this explains it! > > > > > > > > > > Tony > > > > > > > > > > > > > > > Sean Dockery wrote: > > > > > > > > > > > In your web.xml... > > > > > > > > > > > > <security-constraint> > > > > > > <web-resource-collection> > > > > > > <web-resource-name>MySecurityRestriction</web-resource-name> > > > > > > <description>Protect the resource.</description> > > > > > > <url-pattern>/ServletUrlPattern</url-pattern> > > > > > > <http-method>GET</http-method> > > > > > > <http-method>POST</http-method> > > > > > > </web-resource-collection> > > > > > > <auth-constraint> > > > > > > <description>Authorized Users Group</description> > > > > > > <!-- no role names means no authentication required for this > > > > resource --> > > > > > > <!-- > > > > > > <role-name>manager</role-name> > > > > > > <role-name>users</role-name> > > > > > > --> > > > > > > </auth-constraint> > > > > > > <user-data-constraint> > > > > > > <!-- transport-guarantee must be one of NONE, INTEGRAL, or > > > > CONFIDENTIAL --> > > > > > > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > > > > > > </user-data-constraint> > > > > > > </security-constraint> > > > > > > > > > > > > Google for "transport-guarantee web.xml" on the web. > > > > > > > > > > > > Simulating a logout in some servlet code... > > > > > > > > > > > > ... > > > > > > > > > > > > HttpSession session = request.getSession(false); > > > > > > > > > > > > /* > > > > > > if there is any information in the session that you want to keep > > (such > > > > as > > > > > > a locale override), grab a reference to it here... > > > > > > */ > > > > > > > > > > > > if(session != null) > > > > > > session.invalidate(); > > > > > > > > > > > > session = request.getSession(true); > > > > > > > > > > > > /* > > > > > > restore stuff into the session that you wanted here... > > > > > > */ > > > > > > > > > > > > ... > > > > > > > > > > > > Sean Dockery > > > > > > [EMAIL PROTECTED] > > > > > > Certified Java Web Component Developer > > > > > > Certified Delphi Programmer > > > > > > SBD Consultants > > > > > > http://www.sbdconsultants.com > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: "Tony Dahbura" <[EMAIL PROTECTED]> > > > > > > To: "Tomcat Users List" <[EMAIL PROTECTED]> > > > > > > Sent: Tuesday, February 11, 2003 03:11 > > > > > > Subject: help with client certificates > > > > > > > > > > > > > I am trying to configure my web application within tomcat to > > require > > > > > > > client certificates for certain areas. I am not concerned about > > what > > > > > > > the certificate contains-only that it is a valid certificate (not > > > > > > > expired). > > > > > > > > > > > > > > I have the ssl piece working and when I use the connector option > > > > > > > clientAuth="true" this makes my whole ssl session require > > > > > > > certificates-which is not what I want. > > > > > > > > > > > > > > How can I configure the web.xml file to require certificates for > > only > > > > > > > certain servlets/urls of the webapp? > > > > > > > > > > > > > > Would like the same functionality of clientAuth="true" (which just > > > > > > > checks the validity of the certifiicate but does not try to verify > > or > > > > > > > > > > > see if the user is in a list somewhere) but at the url/servlet > > level > > > > > > > within the web.xml for the web app. > > > > > > > > > > > > > > > > > > > > > Another quick question is how can one force the user to have to > > select > > > > > > > the cert again once inside the web application (simulate a > > logout). > > > > > > > Does invalidating the session force this? Do not want the user > > to > > > > have > > > > > > > to quit out of the browser. > > > > > > > > > > > > > > > > > > > > > Thanks, > > > > > > > Tony > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > > For additional commands, e-mail: > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > > > > > > > > > > > > > --------------------------------------------------------------------- > > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > -- > > > > > Tony Dahbura > > > > > Deployment Director > > > > > Opsware Business Practice > > > > > EDS Inc. > > > > > 13900 Lincoln Park Drive > > > > > Suite 405/WH-OPS > > > > > Herndon, VA 20171 > > > > > voice: 703.742.1280 > > > > > fax: 703.742.1163 > > > > > [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > --------------------------------------------------------------------- > > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > -- > > > Tony Dahbura > > > Deployment Director > > > Opsware Business Practice > > > EDS Inc. > > > 13900 Lincoln Park Drive > > > Suite 405/WH-OPS > > > Herndon, VA 20171 > > > voice: 703.742.1280 > > > fax: 703.742.1163 > > > [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > -- > Tony Dahbura > Deployment Director > Opsware Business Practice > EDS Inc. > 13900 Lincoln Park Drive > Suite 405/WH-OPS > Herndon, VA 20171 > voice: 703.742.1280 > fax: 703.742.1163 > [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]