• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

transport-guarantee Confidential

 
Ranch Hand
Posts: 312
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All

I am using FORM based authentication.
I have configured SSL port on the Weblogic7 server .

Now in the web.xml of the application in the security-constraint section I have changed the <transport-guarantee> parameter value from NONE to CONFIDENTIAL.

So now even when i do a http request it automatically transalates to https because of the CONFIDENTIAL transport gurantee & invokes the application using the SSL port.

All this works fine. But my question is what does CONFIDENTIAL do. Is there some security certificate being used by the server.

CONFIDENTIAL as far as I know only encrypts the data sent between the client & server which is not the case when the transport-gurantee value in NONE.

So if there is no certificate getting displayed to the client how this encryption happens transparently when using CONFIDENTIAL


Regards
 
Rancher
Posts: 43081
77
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Both the web server and the web browser have a number of certificates built in, which they present to one another. (OK, so that's oversimplifying things, but you get the idea.) So there are certificates involved, they are just not shown to the user.

The server certificate would be shown to the user if the signer of that certificate is not recognized by the browser as a valid certification authority, e.g. if you sign it yourself, instead of, say, Verisign or Thawte.
 
Ranch Hand
Posts: 220
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Is there some security certificate being used by the server?



Yes, that is how SSL works in essentially every browser that supports it. The server is always authenticated through SSL's mechanisms. Thus, the server must always have a certificate and access to the associated private key. Furthermore, as the previous poster noted, the server's certificate must be signed by a public key the client has decided to trust ahead of time, e.g. Verisign, Thawte. You can examine a list of such trusted authorities through your browser, e.g. in my version of Firefox, you go to the Tools menu and select Options, then select Advanced, then select the Security tab, then select View Certificates, and finally select the Authorities tab to see the (suprisingly long) list.

The client is optionally authenticated in SSL. I believe most sites that need client authentication do not use this feature of SSL, but rather do simple username-password authentication inside of the encrypted SSL channel setup with server-only authentication.
 
Whose rules are you playing by? This tiny ad doesn't respect those rules:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic