Using Two-Way SSL Authentication with Servlets
5.4.3.4 Using Two-Way SSL Authentication with Servlets
To authenticate Java clients in a servlet or any other server-side Java class, you must check whether the client presented a digital certificate and if so, whether the certificate was issued by a trusted certificate authority. The servlet developer is responsible for asking whether the Java client has a valid digital certificate. When developing servlets with the WebLogic Servlet API, you must access information about the SSL connection through the getAttribute method of the HTTPServletRequest object. The following attributes are supported in WebLogic Server servlets: ■ javax.servlet.request.X509Certificate ■ java.security.cert.X509Certificate []—returns an array of the X.509 certificate. ■ javax.servlet.request.cipher_suite—returns a string representing the cipher suite used by HTTPS. ■ javax.servlet.request.key_size— returns an integer 0, 40, 56, 128, 168 representing the bit size of the symmetric bulk encryption key algorithm. ■ weblogic.servlet.request.SSLSession ■ javax.net.ssl.SSLSession—returns the SSL session object that contains the cipher suite and the dates on which the object was created and last used. You have access to the user information defined in the digital certificates. When you get the javax.servlet.request.X509Certificate attribute, it is an array of type java.security.cert.X509Certificate. You simply cast the array to that type and examine the certificates. A digital certificate includes information, such as the following: ■ The name of the subject holder, owner and other identification information required to verify the unique identity of the subject. ■ The subjects public key ■ The name of the certificate authority that issued the digital certificate ■ A serial number ■ The validity period or lifetime of the digital certificate as defined by a start date and an end date5.4.4 Using a Custom Hostname Verifier
A hostname verifier validates that the host to which an SSL connection is made is the intended or authorized party. A hostname verifier is useful when a WebLogic client or a WebLogic Server instance is acting as an SSL client to another application server. It helps prevent man-in-the-middle attacks. Note: For information on JNDI contexts and threads and how to avoid potential JNDI context problems, see JNDI Contexts and Threads and How to Avoid Potential JNDI Context Problems in Programming JNDI for Oracle WebLogic Server.Parts
» Oracle Fusion Middleware Online Documentation Library
» Document Scope Audience for This Guide
» Guide to this Document Related Information
» New and Changed Security Features in This Release What Is Security?
» Authentication Authorization Java EE Security
» User Name and Password Authentication
» Digital Certificate Authentication Authentication With Web Browsers
» Using Secure Cookies to Prevent Session Stealing
» Developing BASIC Authentication Web Applications
» Using WLST to Check the Value of enforce-valid-basic-auth-credentials
» Developing FORM Authentication Web Applications
» Developing Swing-Based Authentication Web Applications Deploying Web Applications
» auth-constraint security-constraint web.xml Deployment Descriptors
» security-role security-role-ref user-data-constraint web.xml Deployment Descriptors
» externally-defined weblogic.xml Deployment Descriptors
» security-permission-spec security-role-assignment weblogic.xml Deployment Descriptors
» getUserPrincipal isUserInRole Using Programmatic Security With Web Applications
» JAAS Authentication APIs JAAS Authentication Development Environment
» JAAS Client Application Components
» WebLogic LoginModule Implementation JVM-Wide Default User and the runAs Method
» Writing a Client Application Using JAAS Authentication
» Using JNDI Authentication Oracle Fusion Middleware Online Documentation Library
» Java Client JAAS Authentication Code Examples JSSE and WebLogic Server
» SSL Authentication APIs SSL Certificate Authentication Development Environment
» SSL Client Application Components
» SSLClient Sample SSLSocketClient Sample
» Two-Way SSL Authentication with JNDI
» Using Two-Way SSL Authentication Between WebLogic Server Instances
» Using Two-Way SSL Authentication with Servlets
» Using the CertPath Trust Manager Using a Handshake Completed Listener
» Using an SSLContext Using URLs to Make Outbound SSL Connections
» Declarative Authorization Programmatic Authorization
» SSL Client Code Examples Using Declarative Security With EJBs
» method method-permission ejb-jar.xml Deployment Descriptors
» role-name run-as security-identity ejb-jar.xml Deployment Descriptors
» security-role security-role-ref ejb-jar.xml Deployment Descriptors
» externally-defined weblogic-ejb-jar.xml Deployment Descriptors
» identity-assertion iiop-security-descriptor integrity principal-name
» role-name run-as-identity-principal weblogic-ejb-jar.xml Deployment Descriptors
» run-as-principal-name run-as-role-assignment weblogic-ejb-jar.xml Deployment Descriptors
» security-permission security-permission-spec security-role-assignment transport-requirements
» ConnectionFilterImpl Class ConnectionEvent Class
» Connection Filter Rules Syntax Types of Connection Filter Rules
» Modifying the weblogic.policy file for General Use
» Setting Application-Type Security Policies Setting Application-Specific Security Policies
» Using Java EE Security to Protect WebLogic Resources SAML API Description
» Custom POST Form Parameter Names
» Overview of Creating a Custom SAML Name Mapper
» SAMLAttributeStatementInfo Class Classes, Interfaces, and Methods
» SAMLCredentialAttributeMapper Interface Classes, Interfaces, and Methods
» Make the Custom SAMLCredentialAttributeMapper Class Available in the Console
» What Are SAML SSO Attributes?
» How to Implement SAML Attributes
» Example Custom SAML 2.0 Credential Attribute Mapper
» Custom SAML 2.0 Identity Asserter Attribute Mapper
» Example Custom SAML 1.1 Credential Attribute Mapper
» Custom SAML 1.1 Identity Asserter Attribute Mapper
» Instantiate a CertPathSelector CertPath Building
» Instantiate a CertPathBuilderParameters CertPath Building
» Use the JDK CertPathBuilder Interface Example Code Flow for Looking Up a Certificate Chain
Show more