Java Servlet Spec's declarative security does just that. See jboss server guide security chapter http://docs.jboss.org/jbossas/jboss4guide/r4/html/ch8.chapter.html
as well as wiki http://wiki.jboss.org/wiki/Wiki.jsp?page=SecureAWebApplicationInJBoss
I think I see how that would work for standard security - the part of the problem that I am struggling with is that we are doing 2-way SSL.
I have clientauth="true" in the connector configuration in Tomcat's server.xml. Basically, that has made it so that everyone who connects to the site has to present a certificate.
What I need is for a few directories to not require the client certificate.
For the record, I am running JBoss 4.0.2 with Josso, in case that clears anything up for anyone. Sorry if I left out some details or was a little hazy about them the first time around.
I think you are merging two separate issues of authentication and encryption.
You can specify that the conatiner use client certificates as a means to authenticate a user by setting the auth-method element to "CLIENT-CERT". This means that when a user tries to access a restricted resource as set up in you web.xml using security-constraint elements, the container will attempt to authenticate user by authenticating a client certificate in request header.
As a separate issue, you can encrypt the transport of data using "two-way" SSL. Which requires a client certificate to be checked by SSL service. This is done by setting a transport-guarantee element to "CONFIDENTIAL" in a user-data-constraint element in web.xml.
I would think what you want to do is...
1) secure some url's (i.e. resources) using "CLIENT-CERT" authentication method.
2) then add transport garantees for those secured resources of type "CONFIDENTIAL".
does that help? cgriffith