> The key part of the FAQ seems to be "[i]the first
> request that qualifies for the <auth-constraint> will
> trigger the client-certificate authentication[/i]".
> Does this mean that I need to use container managed
> roles in order for the web.xml configuration to
> trigger the client certificate authentication?
That is correct.
With Java EE 6 you can actually control authentication by explicitly calling authenticate(..) from within your servlet methods (as opposed to having an auth-constraint). You can already try that out with latest V3.
Another way you can control things on your own is to configure a JSR-196 Server Authentication Module, but that could involve quiet some coding on your part since you are pretty much in control of the whole authentication process then.
[Message sent by forum member 'kumarjayanti' (kumarjayanti)]
http://forums.java.net/jive/thread.jspa?messageID=359843