Hi Ryan,
First you have to decide what kind of authentication you want to use. Three
types are common:
* HTTP basic authentication--The Web server authenticates a principal using
the username and password obtained from the Web client. The username and
password are included in the HTTP headers and are handled at the transport
layer.
* Form-based authentication--A developer can customize a form for entering
username and password information, and then use this form to pass the
information to the J2EE Web container. This type of authentication, geared
toward Web page presentation applications, is not used for Web services.
* HTTPS mutual authentication--Both the client and the server use digital
certificates to establish their identity, and authentication occurs over a
channel protected by Secure Sockets Layer.
It seems to me you're trying to use the last one. If yes, then
1. You do need to set this:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
and this:
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
in the <security-constraint/>.
These settings are only on the server side.
2. Import the server cert into client keystore AND vice versa.
3. In Tomcat, you may set the clientAuth="true". It's not a must, you may
also set it to "want", if you want Tomcat to request a client Certificate,
but not fail if one isn't presented.
Thanks and Regards,
Sharib Anis
Senior Research Engineer
Wireless Intellect Labs Pte Ltd
A MobileOne Company
http://www.wilabs.com
sharib.anis_at_wilabs.com
DID: +65-6843 8672; Fax: +65-6560-4950 (TZ: +0800 GMT)
There are 10 kinds of people in the world, those who understand binary and
those who don't.
DISCLAIMER: This email (including any attachments) is intended for the
recipient(s) named above and may contain information that is confidential
to Wireless Intellect Labs Pte Ltd. Any use of the information (including,
but not limited to, total or partial reproduction, distribution or
dissemination in any form) by persons other than the intended recepient(s)
is prohibited. If you are not an intended recipient of this email, please
notify the sender immediately and delete it. Any views expressed in this
message are those of the individual sender, except where the sender states
them, with requisite authority, to be those of Wireless Intellect Labs Pte
Ltd.
-----Original Message-----
From: Ryan LeCompte [mailto:ryan.lecompte_at_pangonetworks.com]
Sent: 19 November 2004 01:33
To: users_at_jax-rpc.dev.java.net
Subject: Mutual SSL authentication with JAX-RPC
Hello,
I'm trying to have my static stub JAX-RPC client communicate via SSL with a
remote web service. I'm setting the two system properties for specifying the
SSL trust store path and trust store password. The client is able to
successfully communicate via SSL when the remote web service's web server is
configured to not require client-side authentication (for example in tomcat
the configuration attribute 'clientAuth="false"' would be used). However,
when I turn on this attribute and require client-side authentication, the
JAX-RPC client fails to communicate successfully with the web service. Is
there anything else that must occur on the JAX-RPC client side when the
remote web server requires a client-side certification authentication? I'm
still new to SSL, so perhaps I have the basic concept confused. Do I have to
import another certification in the client-side keystore for this to work? I
looked in the java web services tutorial and they say that you need to
specify the following in web.xml:
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
However, this is a standalone JAX-RPC client that isn't running within a web
container (thus there is no web.xml).
Am I missing something here? Thank you for any suggestions...
-- Ryan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe_at_jax-rpc.dev.java.net
For additional commands, e-mail: users-help_at_jax-rpc.dev.java.net