On 2/17/10, Mark Thomas <ma...@apache.org> wrote: > The rules on how security constraints combine are in the Servlet spec. > It can take a bit of time to get your head around it. > > To require a cert for your servlet too, one option would be: > > <security-constraint> > <web-resource-collection> > <web-resource-name>Everything</web-resource-name> > <url-pattern>/*</url-pattern> > </web-resource-collection> > <auth-constraint> > <role-name>X509</role-name> > </auth-constraint> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > <login-config> > <auth-method>CLIENT-CERT</auth-method> > </login-config> > > which requires it for everything.
That seems to do the trick! Thanks very much - I really appreciate your immediate responses! --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
