-
1. Re: Mixing CLIENT-CERT and BASIC authentication
alexanders Mar 26, 2009 12:14 PM (in response to fthurber)Not sure this question is in scope of the forum.
Two things you need to describe in your web.xml:
1) Security constraint mapped to some url pattern and requires some role.
2) Role mapped to security domain.
So you need to configure your web.xml as following:
Two different security constraints mapped each to its url pattern
e.g.
<url-pattern>/*_cert_requred_*</url-pattern>
requires some role: "CertProtected"
<url-pattern>/*_passwd_requred_*</url-pattern>
requires some role: "PasswordProtected"
Best way to do this - separate your app to subcontexts:
<url-pattern>/cert_requred/*</url-pattern>
<url-pattern>/passwd_requred/*</url-pattern>
Then you need to map each role to its JAAS domain.
If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint. -
2. Re: Mixing CLIENT-CERT and BASIC authentication
fthurber Mar 26, 2009 1:58 PM (in response to fthurber)"alexanders" wrote:
Not sure this question is in scope of the forum.
Two things you need to describe in your web.xml:
1) Security constraint mapped to some url pattern and requires some role.
2) Role mapped to security domain.
So you need to configure your web.xml as following:
Two different security constraints mapped each to its url pattern
e.g.
<url-pattern>/*_cert_requred_*</url-pattern>
requires some role: "CertProtected"
<url-pattern>/*_passwd_requred_*</url-pattern>
requires some role: "PasswordProtected"
Best way to do this - separate your app to subcontexts:
<url-pattern>/cert_requred/*</url-pattern>
<url-pattern>/passwd_requred/*</url-pattern>
Then you need to map each role to its JAAS domain.
If you are mapping some security constraints to one url pattern (/*)... The result is depending on implementation. In best case you will got working the last constraint.
The key seems to be "map each role to its JAAS domain"; I cannot see how to do that. The choice of auth-method, either CLIENT-CERT or BASIC is made in the login-config element, but that is not mapped to a specific role, but it does seem to be mapped to a realm-name. Is there a mapping between realms and roles?