I have a JSF webapplication, I need to enable SSL for 3 pages and need client authentication on only 1 page out of 3 (CertificateLogin page)... application has in all around 15 pages (JSPs)
I thought that it will be possible with following configuration
web.xml
-----------login auth
------------------CLIENT_CERT
-----------Security Constraint for 1st page
------------------data transport = CONFIDENTIAL
-----------Security Constraint for 2nd page
------------------data transport = CONFIDENTIAL
-----------Security Constraint for 3rd page
------------------data transport = CONFIDENTIAL
------------------auth contrained ON for ANYONE (so that this page triggers client - cert authentication)
domain.xml had client-auth-enabled = false under <ssl> tag for <http-listener2 port 8181>
This did not work and IE 7 and Firefox both could not display any of the 3 pages above. i was expecting all of them to work (atleast first 2)
It only worked when client-auth-enabled = true but then all 3 pages were asking for client authentication (last page hit (page 3) was asking for client certificate 2 times per request. first 2 only asked once per request).
how can I make client-authentication to be required only on a subset of page (s) under SSL pages category of a webapplication. i don't want to set client-auth-enabled = true.
thanks
[Message sent by forum member 'anusheel' (anusheel)]
http://forums.java.net/jive/thread.jspa?messageID=299917