According to Martin Kalin's Java WS Up and Running, p.198, it says:
"The web server typically does not challenge the browser.... The usually one-sided authentication challenge, with the client challenging the server but not the other way round. Tomcat's server.xml :"
"The default client behavior is to challenge the server."
But according to JEE tutorial, chapter 42, it says "With client authentication, the web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate."
So, which quote is correct?
My question is:
Should the server authenticate the client or should the client authenticate the server during client authentication? Or, the client authenticates the server if clientAuth is set to true?
posted 1 year ago
To answer my own question, here is another quote from http://docs.oracle.com/cd/E12839_01/web.1111/b32511/standards.htm: "One-way authentication (or server authentication): Only the server authenticates itself to the client. The server sends the client a certificate verifying that the server is authentic. This is typically the approach used for Internet transactions such as online banking."
I think server authentication is what Martin Kalin is refering to and client authentication is the other way round.