• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Liutauras Vilda
  • Jeanne Boyarsky
  • Devaka Cooray
  • Paul Clapham
Sheriffs:
  • Tim Cooke
  • Knute Snortum
  • Bear Bibeault
Saloon Keepers:
  • Ron McLeod
  • Tim Moores
  • Stephan van Hulst
  • Piet Souris
  • Ganesh Patekar
Bartenders:
  • Frits Walraven
  • Carey Brown
  • Tim Holloway

Client authentication

 
Ranch Hand
Posts: 1738
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
According to Martin Kalin's Java WS Up and Running, p.198, it says:
"The web server typically does not challenge the browser.... The usually one-sided authentication challenge, with the client challenging the server but not the other way round. Tomcat's server.xml :"

"The default client behavior is to challenge the server."

But according to JEE tutorial, chapter 42, it says "With client authentication, the web server authenticates the client by using the client’s public key certificate. Client authentication is a more secure method of authentication than either basic or form-based authentication. It uses HTTP over SSL (HTTPS), in which the server authenticates the client using the client’s public key certificate."

So, which quote is correct?
My question is:
Should the server authenticate the client or should the client authenticate the server during client authentication? Or, the client authenticates the server if clientAuth is set to true?
 
Himai Minh
Ranch Hand
Posts: 1738
12
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
To answer my own question, here is another quote from http://docs.oracle.com/cd/E12839_01/web.1111/b32511/standards.htm:
"One-way authentication (or server authentication): Only the server authenticates itself to the client. The server sends the client a certificate verifying that the server is authentic. This is typically the approach used for Internet transactions such as online banking."

I think server authentication is what Martin Kalin is refering to and client authentication is the other way round.
 
Consider Paul's rocket mass heater.
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!