Two Laptop Bag*
The moose likes Web Services and the fly likes Mutual authentication in Web Services Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Java » Web Services
Bookmark "Mutual authentication in Web Services" Watch "Mutual authentication in Web Services" New topic
Author

Mutual authentication in Web Services

Sabya Sachi
Greenhorn

Joined: Oct 05, 2004
Posts: 6
Hi,

I have already built my webservice and it is ready for use...

But I want to implement security into my service using SSL.

Let me first tell you I have used jwsdp-1.3 and the web container as Tomcat 5.0 to build my JAXPRC service.

I have followed the mutual authentication example provided in the jwstutorial but that does not seem to be too useful to me....cos that does not describe clearly how the authentication has to be done from various client sides.


I want to have a third party as the certifying authority for both the server as well as the client.

Kindly guide me how do I go about setting the properties in the server side as well as in the client-side....

I am now trying out my luck with SAML(Security Assertions MarkUp Language)....I have got certain pieces of code related to SAML but SAML Web Service integration is not described.Those just show how SAML works...Please help me out.It is very urgent for me.
Thanks in advance

Sabyasachi
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12760
    
    5
I have just gone through the exercise of setting up SSL connections with client authentication in Tomcat5 and it was quite a pain. I found that not only do you have to configure a port in server.xml - something like this (with obvious obfusction of my real path):


BUT you also have to start Tomcat with system properties that match the parameter in server.xml AND also define trustSore location and password that match the client keys in the catalina.bat startup batch(that took a while to discover!!) (again obfuscated)


I actually used the same keystore and pass for both client and server.
On the client side, I ended up defining System parameters when the app starts by means of a propeties file. This code gets called very early in starup.

where the properties file has

Again, both pointed to the same keystore (selfsigned in my case)

This may in fact be more complicated than it needs to be, but it seems to be working. I never found a resource that covered all these points.
Bill
Sabya Sachi
Greenhorn

Joined: Oct 05, 2004
Posts: 6
Hi,

I had already done all the settings in server.xml earlier.But I am not getting one thing... how do you go about setting the client stores for various clients.The server needs to have the public keys of all the various clients.How does the server maintain this???

I am still in doubt...

Anyways your piece of information helped me to ceratin extent...

Sabyasachi
William Brogden
Author and all-around good cowpoke
Rancher

Joined: Mar 22, 2000
Posts: 12760
    
    5
I "cheated" by using the same certificate everywhere. With separate client certificates, I think you would have to import them into your "truststore" using the Java keytool.
Although I was able to get clientAuth="true" working between my local machines, when my customer tried it from elsewhere on the net, the connection was never created. No error message that we could find, it just didn't connect - very frustrating.
Bill
Sabya Sachi
Greenhorn

Joined: Oct 05, 2004
Posts: 6
Hi

I have solved the mutual authentication problem.Now I can handle various clients and can maintain their lists in the server side.

The settings actually were quite simple....I found out the solution from jws 1.0 doc


For mutual authentication I had to follow these steps.



I created a keystore for the server side using keytool with the server details.Then exported the contents into a file which acted as the public key certificate for the server.I gave the path of the keystore file in ssl connector tag in server.xml.
Client also generates a certificate from his/her side and exports the contents into a file which acts as the public key holder for the client.

The server certificate is passed to the client which client imports into his/her keystore.

Same happens at the server side.
The server imports the client certificate into his/her keystore.

The client just needs to set his/her keystore location and the password to it.

That's it and bingo.......

Cheers.....

Sabyasachi
 
 
subject: Mutual authentication in Web Services
 
Similar Threads
certificates on tomcat
SAML in Web Services
Webservice Securtiy support using SAML token deployed on Weblogic
client authentication with WAS 5
overide security behavior in j2me and avoid re-authentiaction in webservice