stackoom
  简体   繁体   中英

How do you get a users X.509 certificate over an HTTP request - (without SSL)

 原文  2012-08-24 11:39:31       java/ authentication/ x509

Question

We would like to authenticate/authorize users using X.509 certificates and groups within LDAP.

With Tomcat 5.5 we were able to do this by getting the X.509 cert over SSL and then switching back to http and continue to use the userPrincipal in the request. Moving to Tomcat 6 and 7 the userPrincipal is no longer available after switching back to http.

In this question Can I use SSL certificate without using a HTTPS connection? It is said that you can request the X.509 cert without SSL. I'm trying to confirm if it is possible and if anyone has an idea how that could be done.

1 answers

solution1
 3  2012-08-24 12:41:34

Let's think about this for a second.

User authentication usually goes like this:

  1. Ask the client to prove his identity
  2. Receive proof of the user identity
  3. Pass back a unique random string that the client can use to prove his identity in the future (session token).

Going back to unencrypted HTTP after authentication is a bad idea. Everybody can see the session token on the wire. They can steal it and use it to pose as the user. See FBController or search on "session hijack" for an example.

Using an unencrypted session to pass the proof of user identity is an equally bad idea. Everybody can replay this and pose as the user. Whether you use an X.509 certificate or a username/password: it is all the same thing.

If you really really want, you could implement your own pseudo-HTTPS using Javascript. Yahoo for example used JavaScript to take a salted SHA1 of the user password before sending it over the wire. You could use Javascript to sign a nonce using the private key of the X.509, and also send over the public certificate. Beware that you are still open to session hijacking when using this method, so it is only a false sense of security!

A much much better way is to just use standard HTTPS. The full connection is encrypted, which means there are no confidentiality issues with passing the user proof, session hijacking or even viewing the information requested by the user.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question How to get SSL certificate (X.509) relevant to HTTPS request in REST controller running under Spring boot? How do I sign a HTTP request with a X.509 certificate in Java? Certificate request to X.509 SSL Certificate X.509 Export How do you install a (x509 / pk12) certificate on ICS without users consent? Error Importing SSL certificate : Not an X.509 Certificate How to import an existing X.509 certificate and private key in Java keystore to use in SSL? Java httpcleint send SSL request using X.509 certeficate How to get X.509 client certificate in Grizzly 2.3 (when using client authentication) How to generate Java keystore from X.509 Certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM