On 18/02/2010 00:42, Kevin Mills wrote:
> On 2/17/10, Mark Thomas <ma...@apache.org> wrote:
>> <snip/>
>>
>>> :-) "Doesn't work", meaning I don't get prompted for my certificate.
>>> I see my servlet's output without any sort of authentication.
>>
>> What URL are you requesting? Only index.jsp will prompt for a cert. Your
>> servlet will just require SSL to be used.
>
> Ooooohhh... my mistake! Yes, index.jsp does prompt me for a
> certificate! So how would I make the servlet also require one? I was
> under the (mistaken?) impression that the "/*" url-pattern would cover
> the servlet.
The rules on how security constraints combine are in the Servlet spec.
It can take a bit of time to get your head around it.
To require a cert for your servlet too, one option would be:
<security-constraint>
<web-resource-collection>
<web-resource-name>Everything</web-resource-name>
<url-pattern>/*</url-pattern>
</web-resource-collection>
<auth-constraint>
<role-name>X509</role-name>
</auth-constraint>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
which requires it for everything.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
