if I want to use the Secured socket layer Technology in Java server pages Then I have to configure Tomcat properly then the server (Tomcat) will handle the SSL handshaking and encrypting.
If the client is a browser, then all is taken care of. The browser will handle the client side of the SSL. there is no change in syntax of JSP & on the client side If this is wrong then please correct it. If this is correct then Is this secure thing ? bcoz browser is handling the client side itself OK Thank you very much in advance.
I'm not quite sure what you mean by "is this the secure thing". You're right that the browser handles the client part of SSL, and if you have an SSL connection, then the transmission is encrypted, and thus much more secure than raw HTTP.
You can use the HttpServletRequest.isSecure method to determine whether a request was made through HTTP or HTTPS. The HttpServletResponse.sendRedirect method can then be used to send the request to the secure URL if necessary. [ July 30, 2006: Message edited by: Ulf Dittmer ]
I read that Wikipedia: SSL. It is very nice article thank you for that But,for more security I want to use client side certificate as each client has its unique certificate issued by server.
So how can I request the client certificate.I don't know anything about client side certificate.Only changing the clientAuth in(server.xml file) is sufficient or I have to do something extra.please tell that.
Thank you very much.
Joined: Mar 22, 2005
You seem to have two accounts, and for the one you're using now the same goes what Henry said above: please adjust your display name to a valid one.
As to your question, it's not server.xml you need to change to require a client certificate, but web.xml. You'll get stronger authentication with that - whether that's stronger overall security depends on your circumstances. The clients will need to set up their browsers with their client certificates, but I asume you already know how to do that.
Joined: Jul 27, 2006
Yes I have changed display name Sorry for that.
Ok. Ulf Dittmer, Will you please tell me that what are the necssary changes required in web.xml to get a client certificate.
and also tell me that how to set up clients browsers with their client certificates. I don't know anything about client certificate & also tell me that from which site I should get these client certificate.
Ok. Thank you very much [ August 06, 2006: Message edited by: Amit Kul ]
Joined: Mar 22, 2005
In your web.xml you need this:
The method of importing certificates into a browser varies. In Firefox, go to Options -> Advanced -> Security -> View Certificates -> Your Certificates -> Import
As to how to get certificates, check Verisign and Thawte, which are the best-known certificate providers. I think you can also create them yourself using the Java tools keytool and certtool. [ August 06, 2006: Message edited by: Ulf Dittmer ]
As to your question, it's not server.xml you need to change to require a client certificate, but web.xml.
If you want the authentication type to be CLIENT_CERT then certainly you have to change it in the web.xml , but in case you want all your client request to the secure socket should present a certificate then you have to set clientAuth=true in SSL connector tag in server.xml , which you might have uncommented for enabling SSL in Tomcat.But this is mainly used in B2B applications , might not be used heavily in any web based application.