hc-httpclient-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Roland Weber <http-as...@dubioso.net>
Subject Re: Implementation of Certificate Based Authentication
Date Fri, 15 Dec 2006 16:13:29 GMT
Hello Lalit,

> I am trying to implement certificate based authentication between HttpClient and Weblogic
8.1 server.
> 
> I have one webapplication in weblogic server,In this application we have defined authentication
scheme is as "BASIC" with user name and password.
> [...]
> 
> Also is it required to use "SSL" for certificate based authentication

I'm afraid you are missing some very fundamental information about
the principles of certificate based authentication. Since it is
beyond the scope of this mailing list to explain cryptography basics,
here are some pointers:

Julius' mail explaining the purpose of certificates
http://mail-archives.apache.org/mod_mbox/jakarta-httpclient-user/200611.mbox/%3c598ad5b50611302021x78dea3fbnbdbad1a12672e0e3@mail.gmail.com%3e

RFC 2246, in particular section 7.4.6
http://www.ietf.org/rfc/rfc2246.txt
-> Yes, it is required to use SSL/TLS for certificate based authentication

Client HTTP Programming Primer, scope of HttpClient
http://wiki.apache.org/jakarta-httpclient/ForAbsoluteBeginners#head-e5df784207b3082d88f0c254a0b656275c2b2855
-> SSL/TLS is on the transport layer, it does not know about HTTP
There is no HTTP authentication scheme for certificate based authentication,
and if the client is authenticated by a certificate it does not make sense
to require additional BASIC authentication.


On the client, you need a key store that must be unlocked by the
user when an SSL connection with client authentication is established
to the server. That means you need a custom SecureProtocolSocketFactory
that handles client authentication. The appropriate client certificate
needs to be deployed to the key store on each client machine.
On the server, you should search the documentation for details on how
to configure certificate based client authentication. This is not just
a checkbox in a dialog, you will have to prepare the infrastructure for
certificate management and validation.

cheers,
  Roland

---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org


Mime
View raw message