File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Web Component Certification (SCWCD/OCPJWCD) and the fly likes HTTPS Client Authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of EJB 3 in Action this week in the EJB and other Java EE Technologies forum!
JavaRanch » Java Forums » Certification » Web Component Certification (SCWCD/OCPJWCD)
Bookmark "HTTPS Client Authentication" Watch "HTTPS Client Authentication" New topic
Author

HTTPS Client Authentication

David Bates
Ranch Hand

Joined: Sep 03, 2006
Posts: 32
I've seen various questions online that talk about "HTTPS client Authentication". Is this talking about CLIENT-CERT?


<a href="http://www.trycatch.net" target="_blank" rel="nofollow">http://www.trycatch.net</a>
Muhammad Saifuddin
Ranch Hand

Joined: Dec 06, 2005
Posts: 1321

This is Authenticaiton Mechanisms,

HTTPS is HTTP over SSL(Secure Socket Layer)
SSL is protocol is to ensure the privacy of sensitive data tansmitted over the internet.

yes it requires a certification form a certification authority, such as veriSign


Saifuddin..
[Blog][Linkedin] How To Ask Questions On JavaRanch My OpenSource
David Bates
Ranch Hand

Joined: Sep 03, 2006
Posts: 32
...so that's a yes?

I understand HTTPS/SSL as transport layer encryption and CLIENT-CERT as authentication. I've never seen the phrase "HTTPS client Authentication" in any of my books.
Paul Santa Maria
Ranch Hand

Joined: Feb 24, 2004
Posts: 236
I found this link using Google:
http://java.boot.by/wcd-guide/ch05s03.html

It discusses these web client authentication types:
  • HTTP Basic Authentication
  • HTTP Digest Authentication
  • HTTPS Client Authentication
  • Form Based Authentication

  • And under "HTTPS Client Authentication", it says
    End user authentication using HTTPS (HTTP over SSL) is a strong authentication mechanism. This mechanism requires the user to possess a Public Key Certificate (PKC) ...

    ...Client-certificate authentication is a more secure method of authentication than either BASIC or FORM authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.

    PS:
    No, the certificate doesn't necessarily need to come from somebody like Verisign. You can easily create your own, self-signed certificates with puttygen (Windows), openssl (Linux) or many other tools.
    [ September 07, 2006: Message edited by: Paul Santa Maria ]

    Paul M. Santa Maria, SCJP
    Ulf Dittmer
    Marshal

    Joined: Mar 22, 2005
    Posts: 39535
        
      27
    The term "HTTPS client Authentication" is odd. It mixes two things that don't really have anything to do with each other - authentication and encryption. HTTP authentication and HTTP encryption (i.e., HTTPS) are orthogonal concepts - they can be used together or eahc of them individually.

    HTTPS means using an encrypted connection; it requires the server to present a certificate in order to establish trust.

    Authentication can be achieved by various means, as pointed out before. One of those is CLIENT-CERT, which requires a personal certificate to be imported into the browser, and then sent to the server. Note that this is a different certificate than the one used with SSL/HTTPS (which is a server certificate).


    Ping & DNS - updated with new look and Ping home screen widget
    Paul Santa Maria
    Ranch Hand

    Joined: Feb 24, 2004
    Posts: 236
    Ulf -

    I think you're getting too hung up on the name.

    Yes, I agree that encryption and authentication are two different things.
    Furthermore, "authorization" ("Are you privileged to look at this web page?": which is, after all, the whole *point* of these 4 "authentication" types) is yet a third completely different thing.

    But provided we're all clear about what these terms actually mean, I'm OK with the name "HTTPS Client Authentication" ;-)
    [ September 08, 2006: Message edited by: Paul Santa Maria ]
    David Bates
    Ranch Hand

    Joined: Sep 03, 2006
    Posts: 32
    HTTP authentication and HTTP encryption (i.e., HTTPS) are orthogonal concepts - they can be used together or eahc of them individually.


    Thanks Ulf, that was exactly what was getting me confused. I came back to this thread to post what I had found in the Servlet Spec. In section SRV.12.5.4 (Page 95) it describes the various authentication methods (Basic, Digest, Form-based and HTTPS Client authentication).

    This means that what the HF book refers to as CLIENT-CERT authentication is referred to in the Spec as HTTPS Client authentication. I think future versions of this book (which is great, BTW) could go to slightly greater lengths to distinguish between:

    (i) HTTPS transport-level encryption (via <transport-guarantee> element).
    (ii) HTTPS-based authentication via client certificates.

    I still have a few questions though...


    Firstly, I just want to clarify part of Paul's quotation:

    End user authentication using HTTPS...requires the user to possess a Public Key Certificate (PKC).

    ...It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates.


    Question: Why is the authentication of the client optional?


    Secondly, in the URL he references it shows an example DD for CLIENT-CERT with a <realm-name> element. However, in the Specification it says "The realm-name indicates the realm name to use in HTTP BASIC authentication." (Page 144). Is the spec being misleading here or is the example incorrect?


    Finally, Pauls says:

    No, the certificate doesn't necessarily need to come from somebody like Verisign. You can easily create your own, self-signed certificates with puttygen (Windows), openssl (Linux) or many other tools.


    As I understand it this will create a certificate, but will will not be a "trusted" certificate since it doesn't come from a Certificate Authority (CA). Is this correct?
     
    jQuery in Action, 2nd edition
     
    subject: HTTPS Client Authentication
     
    Similar Threads
    http authentication methods
    Authentication over ssl in jsp
    Form Based Authentication in J2EE1.4
    Authentication
    Http Digest Authentication and HttpsClient Authentication