Accessing server certificate from servlet.
1 posts in topic
Flat View  Flat View
TOPIC ACTIONS:
 

Posted By:   Brad_Dompe
Posted On:   Wednesday, September 26, 2001 08:54 AM

Hi. I'm trying to design two servlets, one residing locally (on Weblogic) and one remotely, that will perform two-way authentication. I need them to exchange certificates, but I also need to access the certificate from the code to determine exactly who the two "people" are, not just that they are trusted. I've tried it with either side acting as the client, but I've been unable to achieve what I need. Any suggestions would be appreciated. My original implementation had the remote servlet acting as the client, opening a URLConnection, and transferring the data. I specifically reference a truststore in the code that only contains myself as a trusted authority, so presenting it a server certificate that it accepts was enough to ident   More>>

Hi. I'm trying to design two servlets, one residing locally (on Weblogic) and one remotely, that will perform two-way authentication. I need them to exchange certificates, but I also need to access the certificate from the code to determine exactly who the two "people" are, not just that they are trusted. I've tried it with either side acting as the client, but I've been unable to achieve what I need. Any suggestions would be appreciated.

My original implementation had the remote servlet acting as the client, opening a URLConnection, and transferring the data. I specifically reference a truststore in the code that only contains myself as a trusted authority, so presenting it a server certificate that it accepts was enough to identify me. I was then able to retrieve their client certificate out of the request and get the needed information. The only implementation I could find to do this requires that the remote servlet contains both the keystore's path and password in it's code to present the client certificate, which has been deemed an unacceptable security risk. Is there a way to implement this without storing that information?

I then tried to reverse it. I now open a connection to them and receive the data back on the response. Under this model, I'm acting as the client. The remote server can get my certificate information out of the request and determine who I am. However, is there a way for me to access the server certificate they present, to get their information? I don't see any methods in either the response or the UrlConnection to do it. I notice the 1.4 spec has javax.net.ssl.HttpsUrlConnection with methods such as getServerCertificates(). Is there something similar that is currently available?

Thanks in advance for any suggestions.

   <<Less

Re: Accessing server certificate from servlet.

Posted By:   Brad_Dompe  
Posted On:   Friday, October 5, 2001 07:49 AM

Using the HttpsConnection in JSSE, I can achieve what I need to.

About | Sitemap | Contact