Restricting access of a Web application using public key/ private key techniques
https://stackoverflow.com/questions/4654680
-
09-10-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I have a requirement of restricting access of a web application (public url available on www) & allowing it to specified set of clients.
Application details as follows:
Technology Used – JSP / Java EE
Deployed on – IBM Webshpere
My problems are:
01. Can this be achieved through client side SSL certificate?
02. Any mechanism of pulbic key / private key technics availble for this
03. Whether these techniques are dependant on browsers type
Solution
Client certificates are standardized in the servlet spec, so yes this is absolutely possible. You specify CLIENT-CERT in your web.xml file.
You will need to set up the keys in WebSphere's keystore (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/rsec_csiv2cca.html) but this is a proprietary procedure for different containers.
Client certificates are public/private keys, so that should meet your requirement.
There shouldn't be any browser issues, other than giving the users different instructions for different browsers to set up their certificates.
OTHER TIPS
It's in the Java EE spec but has its own problems implementing it. These articles show how to enable and solutions to common issues that arise in such an authentication schema.
