two way SSL/TLS authentication in a Rest Web Service
Question
I am going to expose my situation. I have a REST application running on Apache Tomcat 7.0. The question is that I want to authenticate and create client roles on the rest API server in order to allow users make some actions or not. The authentication and roles of clients will be determined by the SSL/TLS client certificate that clients have to send to the server.
Strategy is:
- a Rest Client application sends a request to the server.
- Client apart from sends actions on the post request, sends his own SSL/TLS certification (I don't know how).
- Rest Web Service receives this request from the client, process it and determines with SSL/TLS certificate the client role, in order to answer if the action request is allowed or not.
Is this feasible? Can anybody help with some tutorials or other posts?
1 answers
solution1
-3 ACCPTED 2014-11-05 20:50:43
We adopted HMAC authentication in our REST services. Good read: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.