Hello Jesse,
Thanks for you input. I will try to get more info from the Tomcat userlist regarding which version supports what.
Tom
Jesse Alexander (KBSA 21) wrote:
Hi
With a newer Tomcat you might use a solution similar to what I have already seen
in a WebLogic-installation:
Several security-providers were created and configured. The first one
to able to authenticate the user does the job. Therefor the first would be an authenticator that can handle the chipcard-certificates, afterwards
you could define a standard handler that can handle a basic-authentication.
This can also be done only for the developer's workstation.
In your app you would then use just the J2EE-principal and roles.
I think it should be possible from TC5 on upward
hth Alexander
-----Original Message-----
From: Tom Bednarz [mailto:[EMAIL PROTECTED] Sent: Monday, April 18, 2005 11:44 AM
To: Struts Users Mailing List
Subject: User Certificates and application managed security -- possible??
Hi,
We have a customer who is introducing chip cards with client-certificates for single sign on. Because of this I have to change a web-application we provided. The application implements its own security mechanisms and uses roles (defined for every action in struts-config.xml) and roles in struts-menu to control access to offered functionalities.
If I understand things correctly, to support client-certificates I need to define (beside SSL which is already supported) in my web.xml something like:
<login-config> <auth-method>CLIENT-CERT</auth-method> </login-config>
What happens to users who DO NOT have a certificate? In my program code I would be able to present a login-page and perform a different (second) method of authentication. If I understand things right, the above tag FORCES users to present a certificate to Tomcat (or whatever server) and fails otherwise.
How can this be solved? I should implement something like:
Is a certificate there? If yes read it and continue in the web app. If not, open a login screen and allow a username / password authentication. Once the authentication was successful I read the roles from a database server and everything should work as it does now (without client certificates)
Many thanks for your help
Tom
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
