This week's book giveaway is in the JavaScript forum.
We're giving away four copies of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js and have Paul Jensen on-line!
See this thread for details.
Win a copy of Cross-Platform Desktop Applications: Using Node, Electron, and NW.js this week in the JavaScript forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic

how to get a list o personal x509 certificates?  RSS feed

 
Julian cansado
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
(sorry for my english)
Hello. Firstly, I have to say that I'm new in Web development. I'm learning by myself thanks to the information I find on the Internet.

I'm developing a JSF application with Eclipse, JSF 2, Tomcat 7 and primefaces 5. I'm quite happy with my progression, but I'm stopped now.
I've achieved to establish a SSL connection (https) with openssl.

I'd like my application to press a buttom in the login form, and show the list of personal X509 certificates which are in the browser's store.
Many webs implement this functionality, so I realize that this is posible, and without using applets.
Is this so hard?
I'm looking for examples but I can't find anything.
Can anyone help me?
Thanks

Julián
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
¡Bienvenido Julian! Welcome to the JavaRanch!

I have doubts about server-side code being able to do that, since it's requring the server to tap into the client's security manager and stuff like that is usually prohibited because of the potential for malicious exploitation.

About as close as I think you might be able to get would involve digitally signed JavaScript.
 
Julian cansado
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks for the response Tim
I don't know what "digitally signed JavaScript" is, but I'm quite sure that you can do that with server code.
When I access to my university web page I can log in with username/password or I can choose a certificate from a list (the list stored on the browser) to get authenticated.
This is exactly what I want to achieve.
I'm sure this isn't implemented with applets because applets always prompt the user to accept them.
But I don't know how it's implemented
I can't believe that there isn't a server side technology witch can do this.

Julián
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
One of the reasons why I have doubts that server-side code can do this is simply that it's server-side code and what you want is stored somewhere in the browser (client). And if there's an RFC for an HTTP/HTML function to display client-internal data, I've never heard of it.
 
Julian cansado
Greenhorn
Posts: 3
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I did this example step by step (http://virgo47.wordpress.com/2010/08/23/tomcat-web-application-with-ssl-client-certificates/) and it worked, but this isn't exactly what I want.
When I access https://localhost:8443/myapp the bwrowser shows a certificate , but (1) Only show the certificate I created in the example (2) this happens everytime I access my application, and I only wish that this happens when I press a button.
I think this is too difficult for me, and it's only for security Java experts. Thanks, however
 
Tim Holloway
Bartender
Posts: 18662
71
Android Eclipse IDE Linux
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I think you're confusing client certificates with server certificates.

Usually when you use SSL on a webapp, your client is running through a chain of server certificates. Their purpose is to assert that the server that you are talking to is, in fact, the server you think you are talking to.

Client certificates are different. A client certificate is something that a server administrator can generate and send to be installed into the client so that the client can establish secure communications without having to login. Because, in effect, the certificate itself is the login.

Client certs aren't used much. They identify the system more than they do the user, and if the computer gets stolen or used by unauthorized persons, there's no way for the server to know that Bad Things are being done.

And, unless I mis-read this article, it outlines the process by which you construct, install, and ship out client certs. As opposed to being able to list certs already installed on the client. Which, like I said, isn't something I'd expect a server to be able to do easily, since A) it's a security risk, and B) every client can have a different sort of cert database, with no standard API for external requesters to use to access it.
 
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
Boost this thread!