Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / February 2004

Tip: Looking for answers? Try searching our database.

CLIENT-CERT Optional

Thread view: 
Enable EMail AlertsStart New Thread
Mark Pfeifer - 28 Jan 2004 15:55 GMT
Everyone -

Is there a way to request but not require a client certificate?  Not
all of our users have certificates, so we need to be able to use a
standard login page for users that do not have certificates.

Any ideas on how to accomplish both types of authentication?

Thanks,
Mark

Using Tomcat.
Reply to this Message
Michael Amling - 28 Jan 2004 17:06 GMT
> Is there a way to request but not require a client certificate?  Not
> all of our users have certificates, so we need to be able to use a
> standard login page for users that do not have certificates.
>
> Any ideas on how to accomplish both types of authentication?

 Could you present a page to the user with one link that leads to
standard and one link that leads to certificate?

--Mike Amling
Reply to this Message
Mark Pfeifer - 29 Jan 2004 13:51 GMT
>   Could you present a page to the user with one link that leads to
> standard and one link that leads to certificate?

Possibly, but I was hoping that I could accomplish something like IIS
has built-in (require or request certificated).

Thanks,
Mark
Reply to this Message
Ben_ - 28 Jan 2004 18:05 GMT
See http://www.apache-ssl.org/docs.html#SSLVerifyClient, if it helps.
Reply to this Message
Mark Pfeifer - 29 Jan 2004 13:54 GMT
> See http://www.apache-ssl.org/docs.html#SSLVerifyClient, if it helps.

Thanks - Have you used this version of Apache?  Is it stable?  

Any ideas on the difference between this version and Apache with mod_ssl?

Also, does your reading of the J2EE spec only have required or not for certs?

Thanks,
Mark
Reply to this Message
Ben_ - 29 Jan 2004 14:04 GMT
> Have you used this version of Apache?
No, I've only been testing with mod_ssl.

> Any ideas on the difference between this version and Apache with mod_ssl?
No. But you can have a look at their site:
http://www.apache-ssl.org/#mod_ssl.

> Also, does your reading of the J2EE spec only have required or not for certs?
I don't undertsand the question.
Reply to this Message
Mark Pfeifer - 04 Feb 2004 16:25 GMT
> > Also, does your reading of the J2EE spec only have required or not for
> certs?
> I don't undertsand the question.

Sorry, does your reading of the J2EE spec only require vendors to
"require" certs or do you read it as "request" and "require"
certificates.  My reading is sun only stated venedors have to require
certificates or not based on the webb app configuration.

Make more sense?
Mark
Reply to this Message
Ben_ - 05 Feb 2004 13:28 GMT
Still not clear to me, so I'll try to guess :-): the spec states that the
deployment descriptor can contain a "transport-guarantee" element, which,
when set to Integral or Confidential, will require the connection to be
https. As this is found in the DD, it can be configured differently for each
webapp.

Here is the spec excerpt I'm referring to:
<!ELEMENT taglib-uri (#PCDATA)>
<!--
The transport-guarantee element specifies that the communication
between client and server should be NONE, INTEGRAL, or
CONFIDENTIAL. NONE means that the application does not require any
transport guarantees. A value of INTEGRAL means that the application
requires that the data sent between the client and server be sent in
such a way that it can't be changed in transit. CONFIDENTIAL means
that the application requires that the data be transmitted in a
fashion that prevents other entities from observing the contents of
the transmission. In most cases, the presence of the INTEGRAL or
CONFIDENTIAL flag will indicate that the use of SSL is required.
Used in: user-data-constraint
-->

Now referring to your initial question of making the client cert optional, I
think the spec doesn't make a clear statement on this. So depending on your
container, you could make it optional or not.
Reply to this Message
Deepak Nayal - 02 Feb 2004 20:00 GMT
In Weblogic Server, the CLIENT-CERT is not just for client certificate.
CLIENT-CERT turns on the identity assertion in weblogic. Using identity
assertion, client can pass any type of tokens(String, Certificate etc.)
to the server. However you need to make your own custom identity
asserter for this.

http://e-docs.bea.com/wls/docs81/dvspisec/ia.html#1170773

Hope this helps.

> Everyone -
>
[quoted text clipped - 8 lines]
>
> Using Tomcat.
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.