You are viewing a plain text version of this content. The canonical link for it is here.
Posted to httpclient-users@hc.apache.org by Lalit Sahoo <la...@sonata-software.com> on 2006/12/15 09:34:41 UTC
Implementation of Certificate Based Authentication
Hi All,
I am trying to implement certificate based authentication between HttpClient and Weblogic 8.1 server.
I have one webapplication in weblogic server,In this application we have defined authentication scheme is as "BASIC" with user name and password.
Now on the client side I am using AuthSSLProtocolSocketFactory as the socket factory.
In my client I have following code:
try
{
File keystoreFile = new File("mykeystore");
org.apache.commons.httpclient.protocol.Protocol authhttps = new org.apache.commons.httpclient.protocol.Protocol("https",new AuthSSLProtocolSocketFactory(null, null,keystoreFile.toURL(), "password"), 443);
org.apache.commons.httpclient.protocol.Protocol.registerProtocol("https", authhttps);
}
catch(MalformedURLException mu)
{
throw new ProtocolException("Malformed URL Exception ",mu.getCause());
}
HttpConnectionManagerParams connParams = new HttpConnectionManagerParams();
connParams.setConnectionTimeout(timeOut);
connParams.setDefaultMaxConnectionsPerHost(maxHostConnections);
MultiThreadedHttpConnectionManager connManager = new MultiThreadedHttpConnectionManager();
connManager.setParams(connParams);
HostConfiguration hostConfig = new HostConfiguration();
hostConfig.setHost(hostName, portNumber);
httpClient = new HttpClient(connManager);
httpClient.setHostConfiguration(hostConfig);
httpClient.getParams().setAuthenticationPreemptive(true);
Then I am using following:
methodClass = new GetMethod(toSend.trim());
status = httpClient.executeMethod( methodClass );
But while executing the application I am getting following error:
java.net.ConnectException: Connection refused: connect.
On further investigation I found that error is occuring at createSocket(
final String host,
final int port,
final InetAddress localAddress,
final int localPort,
final HttpConnectionParams params
return socketfactory.createSocket(host, port, localAddress, localport);
Can anybody help me finding why this error?
Also is it required to use "SSL" for certificate based authentication
and
what configuration do we need to do in our web application for this to work?
Regards,
Lalit
Re: Implementation of Certificate Based Authentication
Posted by Roland Weber <ht...@dubioso.net>.
Hello Lalit,
> Can we use SSL feature without providing server or client certificates?
The server will always have to have a certificate installed.
It is possible to disable the check of the server certificate
on the client. For example, the EasySSLProtocolSocketFactory
accepts self-signed certificates:
http://svn.apache.org/repos/asf/jakarta/commons/proper/httpclient/trunk/src/contrib/org/apache/commons/httpclient/contrib/ssl/EasySSLProtocolSocketFactory.java
This is not a recommended practice, though. If you are deploying
a productive application, you should use real certificates and
deploy the base certificates required for certificate checking.
You could for example ship a truststore as part of the client
application deliverable.
The client does not need to present a certificate to the server,
unless the server is configured to perform certificate based
client authentication. It only needs base certificates for
verifying the server certificate, unless you disable that check.
By the way, we now have a FAQ discussing client authentication:
http://wiki.apache.org/jakarta-httpclient/FrequentlyAskedApplicationDesignQuestions
It's brand new, otherwise I would have posted the link last week.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org
RE: Implementation of Certificate Based Authentication
Posted by Lalit Sahoo <la...@sonata-software.com>.
Hi Roland,
Thanks for providing so much useful information!
Can we use SSL feature without providing server or client certificates?
Regards,
Lalit
Re: Implementation of Certificate Based Authentication
Posted by Roland Weber <ht...@dubioso.net>.
Hello Lalit,
> I am trying to implement certificate based authentication between HttpClient and Weblogic 8.1 server.
>
> I have one webapplication in weblogic server,In this application we have defined authentication scheme is as "BASIC" with user name and password.
> [...]
>
> Also is it required to use "SSL" for certificate based authentication
I'm afraid you are missing some very fundamental information about
the principles of certificate based authentication. Since it is
beyond the scope of this mailing list to explain cryptography basics,
here are some pointers:
Julius' mail explaining the purpose of certificates
http://mail-archives.apache.org/mod_mbox/jakarta-httpclient-user/200611.mbox/%3c598ad5b50611302021x78dea3fbnbdbad1a12672e0e3@mail.gmail.com%3e
RFC 2246, in particular section 7.4.6
http://www.ietf.org/rfc/rfc2246.txt
-> Yes, it is required to use SSL/TLS for certificate based authentication
Client HTTP Programming Primer, scope of HttpClient
http://wiki.apache.org/jakarta-httpclient/ForAbsoluteBeginners#head-e5df784207b3082d88f0c254a0b656275c2b2855
-> SSL/TLS is on the transport layer, it does not know about HTTP
There is no HTTP authentication scheme for certificate based authentication,
and if the client is authenticated by a certificate it does not make sense
to require additional BASIC authentication.
On the client, you need a key store that must be unlocked by the
user when an SSL connection with client authentication is established
to the server. That means you need a custom SecureProtocolSocketFactory
that handles client authentication. The appropriate client certificate
needs to be deployed to the key store on each client machine.
On the server, you should search the documentation for details on how
to configure certificate based client authentication. This is not just
a checkbox in a dialog, you will have to prepare the infrastructure for
certificate management and validation.
cheers,
Roland
---------------------------------------------------------------------
To unsubscribe, e-mail: httpclient-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: httpclient-user-help@jakarta.apache.org