This week's book giveaway is in the Servlets forum.
We're giving away four copies of Murach's Java Servlets and JSP and have Joel Murach on-line!
See this thread for details.
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes Client authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login


Win a copy of Murach's Java Servlets and JSP this week in the Servlets forum!
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "Client authentication" Watch "Client authentication" New topic
Author

Client authentication

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 721
According to Martin Kalin's Java WS Up and Running, p.198, it says:
"The web server typically does not challenge the browser.... The usually one-sided authentication challenge, with the client challenging the server but not the other way round. Tomcat's server.xml :"

"The default client behavior is to challenge the server."

But according to JEE tutorial, chapter 42, it says "With client authentication, the web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate."

So, which quote is correct?
My question is:
Should the server authenticate the client or should the client authenticate the server during client authentication? Or, the client authenticates the server if clientAuth is set to true?
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 721
To answer my own question, here is another quote from http://docs.oracle.com/cd/E12839_01/web.1111/b32511/standards.htm:
"One-way authentication (or server authentication): Only the server authenticates itself to the client. The server sends the client a certificate verifying that the server is authentic. This is typically the approach used for Internet transactions such as online banking."

I think server authentication is what Martin Kalin is refering to and client authentication is the other way round.
 
 
subject: Client authentication
 
Similar Threads
security
HTTPS Client Authentication
Tomcat SSL .Enabling Client authentication with tomcat
Need secure jdbc connection with sql server 2005
Basic auth + ssl on client side