Hi Legolas,
Legolas Woodland wrote:
> Thank you for reading my post
> Can some one please explain me what is differences between using
> following items in web descriptor and changing the entire htt listener
> to use ssl?
> what happens that a listener serve request to this servlet over https
> and other request over http?
>
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Secure Area</web-resource-name>
> <url-pattern>/HelloServletService/HelloServlet
> </url-pattern>
> <http-method>POST</http-method>
> </web-resource-collection>
> <auth-constraint>
> </role-name>EMPLOYEE</role-name>
> </auth-constraint>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> <realm-name>certificate</realm-name>
> </login-config>
>
>
When you try to access /HelloServletService/HelloServlet,
the following will happen:
- If the request has been received over http, the requested transport
guarantee of "CONFIDENTIAL" will cause the request to be redirected
to the https listener.
- If the https listener on which the redirected request is received
does not enforce client authentication (via the "client-auth-enabled"
attribute of its <ssl> configuration element in domain.xml), the
container will cause an SSL re-handshake to occur, with client auth
enabled. This will address the CLIENT-CERT authentication constraint.
> Another question related to this matter is, what does
> "<realm-name>certificate</realm-name>" do here?
> how does it works and understand which certification it should use?
>
The "certificate" realm helps the server decide whether the SSL cert
chain supplied by the client may be trusted, by validating the chain
against the server's trust store (of trusted certificates).
Jan