How to implement PKI certificate based authentication in Java Web application
Question
I have a Servlets/JSP based traditional Java MVC web application on Tomcat server, I want to implement PKI certificate based authentication. In which user doesn't have to provide the login credentials. Here is the basic requirements:
- Admin issues the PKI certificate to the client,
- Admin sends the PKI certificate to the client and adds it to the PKI Cert Store,
- Client adds the certificate to the browser, and
- Whenever client clicks on Login button on the application, the application fetches the browser certificate and authenticate the client from the PKI Cert Store.
Please suggest how to proceed with this kind of requirement.
1 answers
solution1
0 2018-09-07 23:19:41
First you set up SSL/TLS at the Tomcat server level .
Then you use a security framework at the webapp level to enforce the SSL client certificate (X.509) authentication requirement on specific URL paths (or patterns of) such as the login URL. One such commonly used library which allows flexible configuration of client certificate authentication is Spring Security , with which you can use either a XML configuration file or Java annotations in your webapp to get what you want. On the documentation link about X.509 authentication , you also have the necessary SSL setup instructions for Tomcat.
You may find another way to do client certificate authentication natively in Tomcat using some configuration in the webapp deployment descriptor ( web.xml ) and in Tomcat realm configuration (eg tomcat-users.xml ), but it is quite tedious and far less flexible.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.