Win a copy of JDBC Workbook this week in the JDBC and Relational Databases forum
or A Day in Code in the A Day in Code forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Paul Clapham
  • Jeanne Boyarsky
  • Junilu Lacar
  • Henry Wong
Sheriffs:
  • Ron McLeod
  • Devaka Cooray
  • Tim Cooke
Saloon Keepers:
  • Tim Moores
  • Stephan van Hulst
  • Frits Walraven
  • Tim Holloway
  • Carey Brown
Bartenders:
  • Piet Souris
  • salvin francis
  • fred rosenberger

Client authentication

 
Ranch Foreman
Posts: 1896
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
According to Martin Kalin's Java WS Up and Running, p.198, it says:
"The web server typically does not challenge the browser.... The usually one-sided authentication challenge, with the client challenging the server but not the other way round. Tomcat's server.xml :"

"The default client behavior is to challenge the server."

But according to JEE tutorial, chapter 42, it says "With client authentication, the web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate."

So, which quote is correct?
My question is:
Should the server authenticate the client or should the client authenticate the server during client authentication? Or, the client authenticates the server if clientAuth is set to true?
 
Himai Minh
Ranch Foreman
Posts: 1896
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To answer my own question, here is another quote from http://docs.oracle.com/cd/E12839_01/web.1111/b32511/standards.htm:
"One-way authentication (or server authentication): Only the server authenticates itself to the client. The server sends the client a certificate verifying that the server is authentic. This is typically the approach used for Internet transactions such as online banking."

I think server authentication is what Martin Kalin is refering to and client authentication is the other way round.
 
If you are using a wood chipper, you are doing it wrong. Even on this tiny ad:
Devious Experiments for a Truly Passive Greenhouse!
https://www.kickstarter.com/projects/paulwheaton/greenhouse-1
    Bookmark Topic Watch Topic
  • New Topic