Restricting access of a Web application using public key/ private key techniques
I have a requirement of restricting access of a web application (public url available on www) & allowing it to specified set of clients.
Application details as follows:
Technology Used – JSP / Java EE Deployed on – IBM WebshpereMy problems are:
01. Can this be achieved through client 开发者_StackOverflow社区side SSL certificate? 02. Any mechanism of pulbic key / private key technics availble for this 03. Whether these techniques are dependant on browsers typeClient certificates are standardized in the servlet spec, so yes this is absolutely possible. You specify CLIENT-CERT in your web.xml file.
You will need to set up the keys in WebSphere's keystore (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/rsec_csiv2cca.html) but this is a proprietary procedure for different containers.
Client certificates are public/private keys, so that should meet your requirement.
There shouldn't be any browser issues, other than giving the users different instructions for different browsers to set up their certificates.
It's in the Java EE spec but has its own problems implementing it. These articles show how to enable and solutions to common issues that arise in such an authentication schema.
精彩评论