Hi With a newer Tomcat you might use a solution similar to what I have already seen in a WebLogic-installation: Several security-providers were created and configured. The first one to able to authenticate the user does the job. Therefor the first would be an authenticator that can handle the chipcard-certificates, afterwards you could define a standard handler that can handle a basic-authentication. This can also be done only for the developer's workstation.
In your app you would then use just the J2EE-principal and roles. I think it should be possible from TC5 on upward hth Alexander -----Original Message----- From: Tom Bednarz [mailto:[EMAIL PROTECTED] Sent: Monday, April 18, 2005 11:44 AM To: Struts Users Mailing List Subject: User Certificates and application managed security -- possible?? Hi, We have a customer who is introducing chip cards with client-certificates for single sign on. Because of this I have to change a web-application we provided. The application implements its own security mechanisms and uses roles (defined for every action in struts-config.xml) and roles in struts-menu to control access to offered functionalities. If I understand things correctly, to support client-certificates I need to define (beside SSL which is already supported) in my web.xml something like: <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> What happens to users who DO NOT have a certificate? In my program code I would be able to present a login-page and perform a different (second) method of authentication. If I understand things right, the above tag FORCES users to present a certificate to Tomcat (or whatever server) and fails otherwise. How can this be solved? I should implement something like: Is a certificate there? If yes read it and continue in the web app. If not, open a login screen and allow a username / password authentication. Once the authentication was successful I read the roles from a database server and everything should work as it does now (without client certificates) Many thanks for your help Tom --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]