On 18/02/2010 00:42, Kevin Mills wrote: > On 2/17/10, Mark Thomas <ma...@apache.org> wrote: >> <snip/> >> >>> :-) "Doesn't work", meaning I don't get prompted for my certificate. >>> I see my servlet's output without any sort of authentication. >> >> What URL are you requesting? Only index.jsp will prompt for a cert. Your >> servlet will just require SSL to be used. > > Ooooohhh... my mistake! Yes, index.jsp does prompt me for a > certificate! So how would I make the servlet also require one? I was > under the (mistaken?) impression that the "/*" url-pattern would cover > the servlet.
The rules on how security constraints combine are in the Servlet spec. It can take a bit of time to get your head around it. To require a cert for your servlet too, one option would be: <security-constraint> <web-resource-collection> <web-resource-name>Everything</web-resource-name> <url-pattern>/*</url-pattern> </web-resource-collection> <auth-constraint> <role-name>X509</role-name> </auth-constraint> <user-data-constraint> <transport-guarantee>CONFIDENTIAL</transport-guarantee> </user-data-constraint> </security-constraint> <login-config> <auth-method>CLIENT-CERT</auth-method> </login-config> which requires it for everything. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org