Yep just have 2 security-constraint in the web.xml one with:
the other with something like:
<auth-constraint> <role-name>manager</role-name> </auth-constraint>
No, I do not mean transport CONFIDENTIAL, I mean client certificate authentication (CLIENT-CERT).
I.e. one servlet can be accesses only by a client with certain certificate (CLIENT-CERT) method, and another servlet accessed by user:password (FORM).
The servlet accessed by the CLIENT-CERT method is in fact accessed just by a Java Swing application, not by the browser. So I think I may code some solution, like that the Java app will send certificate in POST data.
You can't have a multiple login-config in the web.xml of a webapp.
Hmm, yeah, thanks.