• Post Reply Bookmark Topic Watch Topic
  • New Topic

User Authentication possible?

 
Ed Ward
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Greetings all.

I'm working on a contract where the client is taking a first step at SOA, mainly for
automating now manual processes. Part of the requirement is to implement a user interface to
input/view data. The user interface is to be a web-app and any new business logic is to be
done using JEE/Java web services. CAC's (Common Access Cards) (PKI certificates) are to be
used for user authentication along with SSL. The problem is that while the client has stated that the user
interface is to be made available as a thin-client (web browser), they have also stated that
the server is NOT to be certifcate enabled, only the application.

Is this even possible?

This client is extremely fustrating as they have tasked many of there own people with JEE
design and project management, yet not a single one of them has ever done any JEE developement, and very little, if
any, other programming, and are very lacking in the area of project management and meeting organization.

If it is possible, I suspect it would either be a huge amount of work, or require purchasing
a third party product, which again, is something they have said they do not want to get locked into.

Any thoughts.

-Ed.
 
Tim Holloway
Bartender
Posts: 18417
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I don't get a very clear picture of what you need, and that's probably because you haven't been given one yourself. However, basic HTTP allows certificates on the client, the server, or both. Usually, the cert is server-only so that any would-be client staggering in off the street can securely talk to the server. However, in some cases, not just any client should have that ability, which is when you pass out certs to be installed on the client's machine.

That covers TLS, but you also are probably going to need some sort of infrastructure on the server in order to manage the users within the app(s) themselves. For one thing, you don't have the ability to do fine-grained authorization operations like enforce user security roles using only a cert. The cert secures transport, but doesn't control application internals.
 
Ed Ward
Ranch Hand
Posts: 147
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Essentially, what I think I'm asking is, is it possible to do 2-way mutual client-cert authentication without having to configure it at the server?


Thanks.
 
Tim Holloway
Bartender
Posts: 18417
60
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
No. You do have to tell the server what the transport rules are. You just don't have to provide a server-side cert for each client. However, each client does have to have a cert in that event.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!