You are viewing a plain text version of this content. The canonical link for it is here.
Posted to user@struts.apache.org by Tom Bednarz <li...@bednarz.ch> on 2005/04/18 13:10:23 UTC
Re: User Certificates and application managed security -- possibl
e??
Hello Jesse,
Thanks for you input. I will try to get more info from the Tomcat
userlist regarding which version supports what.
Tom
Jesse Alexander (KBSA 21) wrote:
>Hi
>
>With a newer Tomcat you might use a solution similar to what I have already seen
>in a WebLogic-installation:
>Several security-providers were created and configured. The first one
>to able to authenticate the user does the job. Therefor the first would
>be an authenticator that can handle the chipcard-certificates, afterwards
>you could define a standard handler that can handle a basic-authentication.
>This can also be done only for the developer's workstation.
>
>In your app you would then use just the J2EE-principal and roles.
>
>I think it should be possible from TC5 on upward
>
>hth
>Alexander
>
>-----Original Message-----
>From: Tom Bednarz [mailto:list@bednarz.ch]
>Sent: Monday, April 18, 2005 11:44 AM
>To: Struts Users Mailing List
>Subject: User Certificates and application managed security -- possible??
>
>Hi,
>
>We have a customer who is introducing chip cards with
>client-certificates for single sign on. Because of this I have to change
>a web-application we provided. The application implements its own
>security mechanisms and uses roles (defined for every action in
>struts-config.xml) and roles in struts-menu to control access to offered
>functionalities.
>
>If I understand things correctly, to support client-certificates I need
>to define (beside SSL which is already supported) in my web.xml
>something like:
>
><login-config>
> <auth-method>CLIENT-CERT</auth-method>
></login-config>
>
>What happens to users who DO NOT have a certificate? In my program code
>I would be able to present a login-page and perform a different (second)
>method of authentication. If I understand things right, the above tag
>FORCES users to present a certificate to Tomcat (or whatever server) and
>fails otherwise.
>
>How can this be solved? I should implement something like:
>
>Is a certificate there? If yes read it and continue in the web app. If
>not, open a login screen and allow a username / password authentication.
>Once the authentication was successful I read the roles from a database
>server and everything should work as it does now (without client
>certificates)
>
>Many thanks for your help
>
>Tom
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
>For additional commands, e-mail: user-help@struts.apache.org
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: user-unsubscribe@struts.apache.org
For additional commands, e-mail: user-help@struts.apache.org