Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
HomeAnnouncementsWhite Papers
Discussion GroupsFirst AidDatabasesJavaBeansGUIJava 3DVirtual MachineCORBASecurityToolsGeneral
Java DirectoryOpen Source ProjectsSample Book ChaptersUser GroupsWeb Resources
Related Topics
Databases.NETMore Topics ...
Java Forum / Security / July 2004

Tip: Looking for answers? Try searching our database.

servlet to bypass the web servers built in client cert authorization mechanism?

Thread view: 
Enable EMail AlertsStart New Thread
gsgrunt - 06 Jul 2004 21:47 GMT
I need to build a servlet that does its own client certificate
authentication.

Everything is clear to me except how to tell the browser to prompt the user
for the cert.

For a basic username and password login I have used code like this:

response.setHeader("WWW-Authenticate", "SomeRealm");

response.setStatus(response.SC_UNAUTHORIZED);

I'm having a difficult time finding an example how to build a response that
will cause the client browser to prompt for a cert.  It must be possible.

Is it a bad idea to try to do client cert authorization and validation from
a servlet bypassing the web servers built in client cert authorization
mechanism?

Has anybody else tried to do this?

Thanks
Reply to this Message
Chris - 11 Jul 2004 01:59 GMT
[snip]
> I'm having a difficult time finding an example how to build a
> response that
[quoted text clipped - 4 lines]
> validation from a servlet bypassing the web servers built in client
> cert authorization mechanism?
[snip]

Hi,
It's probably impossible to do exactly what you want. You see, WWW
authentication (basic or digest) via username/password is performed
at the HTTP level of request and response headers. Client certificate
authentication (which can only be done over HTTPS) actually happens
at the SSL level. The connection is established, and the server
demands a client certificate (and checks it) before even allowing the
browser to transmit the request. The server doesn't even know what
URL is going to be requested when it demands the certificate, which
is why the servlet can't possibly handle this case. The server
probably provides some way for your servlet to access various pieces
of the certificate once it starts running (i.e. the subject DN and so
on stored in environment variables or something), but that's too late
for verifying the certificate. If you're trying to make a site
that'll allow the general public to use certificate auth with their
own certificates, your best bet is to load as many CA certificates
into your server as you can find and hope for the best. If you're
doing a private system, it's much easier, as you can just make sure
the one CA that issues all the user certs is loaded in the server. Of
course, for the general-public version, the server simply checks that
the client certificate is valid (i.e. descended from a CA); it
doesn't actually check *who* the cert belongs to unless you add more
configuration. That part could perfectly well be done by the servlet
instead.

Good luck anyway :)
Chris
Reply to this Message


Free Magazines

Get these publications absolutely FREE for up to 12 months. There are no hidden fees and no obligation. Simply choose a title, complete the application form and submit it. Read more ...

Oracle MagazineNetwork ComputingComputer WorldBio-IT WorldeWeekInformation WeekInfosecurity
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2008 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.