Java Reference
In-Depth Information
6.
If the verification is successful, the server grants access to the protected resource
requested by the client.
Figure 19-2
shows what occurs during user name/password-based mutual authentication.
Enabling Mutual Authentication over SSL
This section discusses setting up client-side authentication. Enabling both server-side and
client-side authentication is called mutual, or two-way, authentication. In client authentic-
ation, clients are required to submit certificates issued by a certificate authority that you
choose to accept.
There are at least two ways to enable mutual authentication over SSL:
• The preferred method is to set the method of authentication in the
web.xml
ap-
plication deployment descriptor to
CLIENT-CERT
. This enforces mutual authen-
tication by modifying the deployment descriptor of the given application. In this
way, client authentication is enabled only for a specific resource controlled by the
security constraint, and the check is performed only when the application requires
client authentication.
• A less commonly used method is to set the
clientAuth
property in the
cer-
tificate
realm to
true
if you want the SSL stack to require a valid certificate
chain from the client before accepting a connection. A
false
value (which is the
default) will not require a certificate chain unless the client requests a resource pro-
tected by a security constraint that uses
CLIENT-CERT
authentication. When you
enable client authentication by setting the
clientAuth
property to
true
, client
authentication will be required for all the requests going through the specified SSL
port. If you turn
clientAuth
on, it is on all of the time, which can severely de-
grade performance.
When client authentication is enabled in both of these ways, client authentication will be
performed twice.
Creating a Client Certificate for Mutual Authentication
If you have a certificate signed by a trusted Certificate Authority (CA) such as Verisign,
and the GlassFish Server
cacerts.jks
file already contains a certificate verified by
that CA, you do not need to complete this step. You need to install your certificate in the
GlassFish Server certificate file only when your certificate is self-signed.
From the directory where you want to create the client certificate, run
keytool
as out-
lined here. When you press Enter,
keytool
prompts you to enter the server name, or-
ganizational unit, organization, locality, state, and country code.
