This week's book giveaway is in the JavaFX forum.
We're giving away four copies of Introducing JavaFX 8 Programming and have Herbert Schildt on-line!
See this thread for details.
The moose likes Web Services Certification (SCDJWS/OCEJWSD) and the fly likes Client authentication Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Introducing JavaFX 8 Programming this week in the JavaFX forum!
JavaRanch » Java Forums » Certification » Web Services Certification (SCDJWS/OCEJWSD)
Bookmark "Client authentication" Watch "Client authentication" New topic

Client authentication

Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 1050
According to Martin Kalin's Java WS Up and Running, p.198, it says:
"The web server typically does not challenge the browser.... The usually one-sided authentication challenge, with the client challenging the server but not the other way round. Tomcat's server.xml :"

"The default client behavior is to challenge the server."

But according to JEE tutorial, chapter 42, it says "With client authentication, the web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate."

So, which quote is correct?
My question is:
Should the server authenticate the client or should the client authenticate the server during client authentication? Or, the client authenticates the server if clientAuth is set to true?
Himai Minh
Ranch Hand

Joined: Jul 29, 2012
Posts: 1050
To answer my own question, here is another quote from
"One-way authentication (or server authentication): Only the server authenticates itself to the client. The server sends the client a certificate verifying that the server is authentic. This is typically the approach used for Internet transactions such as online banking."

I think server authentication is what Martin Kalin is refering to and client authentication is the other way round.
I agree. Here's the link:
subject: Client authentication
It's not a secret anymore!