background image

HTTPS Client Authentication

<< form-login-config Element | Mutual Authentication >>
<< form-login-config Element | Mutual Authentication >>

HTTPS Client Authentication

Using Login Forms
When creating a form-based login, be sure to maintain sessions using cookies or SSL session
information.
As shown in
"Form-Based Authentication" on page 861
, for authentication to proceed
appropriately, the action of the login form must always be j_security_check. This restriction
is made so that the login form will work no matter which resource it is for, and to avoid
requiring the server to specify the action field of the outbound form. The following code snippet
shows how the form should be coded into the HTML page:
<form method=
"POST" action="j_security_check">
<input type=
"text" name="j_username">
<input type=
"password" name="j_password">
</form>
HTTPS Client Authentication
HTTPS Client Authentication requires the client to possess a Public Key Certificate (PKC). If
you specify client authentication, the web server will authenticate the client using the client's
public key certificate.
HTTPS Client Authentication is a more secure method of authentication than either basic or
form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates
the client using the client's Public Key Certificate (PKC). Secure Sockets Layer (SSL) technology
provides data encryption, server authentication, message integrity, and optional client
authentication for a TCP/IP connection. You can think of a public key certificate as the digital
equivalent of a passport. It is issued by a trusted organization, which is called a certificate
authority (CA), and provides identification for the bearer.
Before using HTTP Client Authentication, you must make sure that the following actions have
been completed:
Make sure that SSL support is configured for your server. If your server is the Sun Java
System Application Server 9.1, SSL support is already configured. If you are using another
server, consult the documentation for that server for information on setting up SSL support.
More information on configuring SSL support on the application server can be found in
"Establishing a Secure Connection Using SSL" on page 785
and the Sun Java System
Application Server 9.1 Administration Guide.
Make sure the client has a valid Public Key Certificate. For more information on creating
and using public key certificates, read
"Working with Digital Certificates" on page 788
.
The following example shows how to declare HTTPS client authentication in your deployment
descriptor:
Defining Security Requirements for Web Applications
Chapter 30 · Securing Web Applications
863