-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Kannan,
On 2/3/2011 2:20 PM, Kannan J wrote: > In web.xml of a war file I’m forcing ssl to be used for a particular > servlet. Tomcat has been configured for client authentication. > > <!-- Force SSL for entire site --> > <security-constraint> > <web-resource-collection> > <web-resource-name>RUSA Authentication</web-resource-name> > <url-pattern>/ClientCertSignServlet</url-pattern> > </web-resource-collection> > <user-data-constraint> > <transport-guarantee>CONFIDENTIAL</transport-guarantee> > </user-data-constraint> > </security-constraint> > > <login-config> > <auth-method>CLIENT-CERT</auth-method> > <realm-name>Client Cert Users-only Area</realm-name> > </login-config> > > When I try to access the servlet (using http url) , it immediately > returns 302 permanently moved. It is supposed to ask the user to choose > a certificate from the list of available certificates in the browser > cert store and use it for client authentication. How to get it working? You have http://host/ClientCertSignServlet configured to redirect to https://host/ClientCertSignServlet due to the <transport-guarantee>. Did you expect some other response than 302? SSL client certificates can't be negotiated over HTTP... you need HTTPS. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk1LDukACgkQ9CaO5/Lv0PBaXwCfdbp5epSvyjuwRRRd4fgZh2Kr YdUAoKOcGe15s0Q+2UccCQpoNCz55Z3Q =mGdv -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
