Thursday, March 18, 2010

Client-Certificate Authentication


    Client-certificate authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another using public key certificates. Secure Socket Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection. You can think of a public key certificate as the digital equivalent of a passport. It is issued by a trusted organization, which is called a certificate authority (CA), and provides identification for the bearer.


Using Mutual Authentication


With mutual authentication, the server and the client authenticate each other. There are two types of mutual authentication:

  • Certificate-based mutual authentication



Certificate-Based Mutual Authentication


In certificate-based mutual authentication, the following things occur:

  1. A client requests access to a protected resource.
  2. The web server presents its certificate to the client.
  3. The client verifies the server's certificate.
  4. If successful, the client sends its certificate to the server.
  5. The server verifies the client's credentials.
  6. If successful, the server grants access to the protected resource requested by the client.


  • User name- and password-based mutual authentication


Username/Password-Based Mutual Authentication





In user name- and password-based mutual authentication, the following things occur:

  1. A client requests access to a protected resource.
  2. The web server presents its certificate to the client.
  3. The client verifies the server's certificate.
  4. If successful, the client sends its user name and password to the server, which verifies the client's credentials.
  5. If the verification is successful, the server grants access to the protected resource requested by the client.


Follow Up Example
under Glassfish Server V3.0 
Netbeans IDE 6.8

Simple description:

A simple web application that contains pages (some pages require the user to be authorized "Admin" and others not required).

Pages which require access permission are located under folder named "admin" under webpages folder. 

We have a single page named "index.jsp" under the "admin" folder. 


1. Import the CA Certificate (for the client and server CA) to the server trusted certificate store. (cacerts.jks)


Different between the Keystore and truststore?
A truststore: contains CA certifcates to be trusted.
A keystore: contains private keys, and the certificates with their corresponding public keys.



What are the certificates that the browser will prompt?
The only stored certificates that trusted from the server (their CA Certificate is imported to the server truststore)



How to use Keystore and Import or export certificates?


2. from glassfish admin console, from security -> Realm -> certificate:


What is mean by  Users, Groups, Roles, and Realms?

  • Users: An individual identity defined in the Enterprise Server. In general, a user is a person, a software component such as an enterprise bean, or even a service. A user who has been authenticated is sometimes called a principal. Users are sometimes referred to as subjects.

  • Groups: A set of users defined in the Enterprise Server, classified by common traits.
  • Roles: A named authorization level defined by an application. A role can be compared to a key that opens a lock. Many people might have a copy of the key. The lock doesn't care who seeks access, only that the right key is used.
  • Realms: A repository containing user and group information and their associated security credentials. A realm is also called a security policy domain.

references: http://docs.sun.com/app/docs/doc/820-4335/abloe?a=view


    a. add your application groups (separated by commas ',').
    b. add add property clientAuth with true 

From Glassfish Administration Console 



From domain.xml 

        <auth-realm name="certificate" classname="com.sun.enterprise.security.auth.realm.certificate.
        CertificateRealm"
>
         
<property name="clientAuth" value="true" />
         
<property name="assign-groups" value="admin" />
       
</auth-realm>

3. Import your Glassfish application certificate into your browser trusted certificates. 

4. Import your personal Certificate into your browser. 

5. In your application, create a folder for each group and put your secured pages in (create a folder named "admin" and create a new jsp page named "index.jsp"). 

6. from web.xml -> security tab -> Login Configuration choose Client Certificate

7. enter the Realm name in the Realm text box "certificate"

8. add Role (admin)

From Netbeans 6.8:




From web.xml: 

    <login-config>
       
<auth-method>CLIENT-CERT</auth-method>
       
<realm-name>certificate</realm-name>
   
</login-config>
   
<security-role>
       
<description/>
       
<role-name>admin</role-name>
   
</security-role>


9. add a security constraint: insert name, add web Resources, enable the authentication Constraint and choose the Role name(s) and enable the user data constraint with the transport Guarantee CONFIDENTAIL


What is the security constraints?
Contain the name and the URL Pattern that will belong to the specified Role 


What is the Confidential?
The option to make the site use HTTPS not HTTP

From Netbeans 6.8:


In web.xml 

    <security-constraint>
       
<display-name>adminConstraint</display-name>
       
<web-resource-collection>
           
<web-resource-name>admin</web-resource-name>
           
<description/>
           
<url-pattern>/admin/*</url-pattern>
       
</web-resource-collection>
       
<auth-constraint>
           
<description/>
           
<role-name>admin</role-name>
       
</auth-constraint>
       
<user-data-constraint>
           
<description/>
           
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
       
</user-data-constraint>
   
</security-constraint>

10. in sun-web.xml -> security tab -> add your group names as the same in the group server names. 

What us the Pricipal? 
Authenticated Users .. 



From Netbeans 6.8:



From sun-web.xml 

  <security-role-mapping>
   
<role-name>admin</role-name>
   
<group-name>admin</group-name>
 
</security-role-mapping>


What is the required to make a servlet needs authorized user "admin"? 


From Netbeans





From web.xml


<servlet>
       
<servlet-name>SecuredServlet</servlet-name>
       
<servlet-class>crlcheck.SecuredServlet</servlet-class>
       
<run-as>
           
<role-name>admin</role-name>
       
</run-as>
   
</servlet>
   
<servlet-mapping>
       
<servlet-name>SecuredServlet</servlet-name>
       
<url-pattern>/admin/SecuredServlet</url-pattern>
   
</servlet-mapping>

and just for make sure see 

sun-web.xml 



5 comments:

  1. Hi,
    Great information. As a person starting out, I find this information very useful, glad I stumbled upon your site. Great stuff, would love it if you created a whole course on this subject.


    Certificate Authentication

    ReplyDelete
  2. Hello, I love reading through your blog, I wanted to leave a little comment to support you and wish you a good continuation. Wish you best of luck for all your best efforts.
    Authentication Certificate

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete
  4. Thanks for explaining all about this authentication scheme. Its a new concept for me so I felt little difficulty in learning. But you have posted an amazing detail that helped me.
    digital signature certificate

    ReplyDelete