background image

Mutual Authentication

<< HTTPS Client Authentication | Certificate-Based Mutual Authentication >>
<< HTTPS Client Authentication | Certificate-Based Mutual Authentication >>

Mutual Authentication

<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
Mutual Authentication
With mutual authentication, the server and the client authenticate one another. There are two
types of mutual authentication:
Certificate-based mutual authentication (see
Figure 30­4
)
User name- and password-based mutual authentication (see
Figure 30­5
)
When using certificate-based mutual authentication, the following actions occur:
1. A client requests access to a protected resource.
2. The web server presents its certificate to the client.
3. The client verifies the server's certificate.
4. If successful, the client sends its certificate to the server.
5. The server verifies the client's credentials.
6. If successful, the server grants access to the protected resource requested by the client.
Figure 30­4
shows what occurs during certificate-based mutual authentication.
Defining Security Requirements for Web Applications
The Java EE 5 Tutorial · September 2007
864