When do I need clientAuth="true" and what does it mean if I use clientAuth="false"?
If I have only configured the webdeployer in JBoss is my authentication secure? And is the communication between JSF and EJB secure?
I hope the questions are not too dumb,,,,:-)
You can set up SSL so client can acces your server via https and be sure you are who you represent as.
But, if you set
client is also requred to have certificate, and you have to thrust this certificate (to have certificate issuer in your trist store)
Anyone can access your server (open pages, use web services, etc.)