I was wondering if you ever figured this out. I am having a similar problem. Even though I set auth-method to CLIENT-CERT in my web.xml the server never asks for a client certificate.
I know it is not since I can access pages that should be restricted from a browser with no client certificates.
If you were able to solve this problem, could you please share what needs to be done?
Thanks,
Eraser
[Message sent by forum member 'eraser' (eraser)]
http://forums.java.net/jive/thread.jspa?messageID=217267