Using Client Certificates for Authentication

There are at least two ways to use client certificates for authentication, but only one is likely to be supported by most servlet engines. The first way to do certification authentication is to set the authentication method in the <auth-method> tag to CLIENT-CERT. If you're using Tomcat, you can use this method; otherwise you may not be able to. Not all servers support this type of authentication.

After the client has been authenticated, you can access the java.security.Principal object that represents the user by calling getUserPrincipal. If getUserPrincipal returns null, the client isn't authenticated.

Tomcat must be set up to perform SSL client certificate authorization. Consult the documentation for instructions on how to do this. To enable your Web application to use client certificates, you simply need to create a web-xml that looks like this:

<web-app>
   <display-name>My CLIENT-CERT Web Application</display-name>
   <description>An Application that uses CLIENT-CERT for Authentication</description>
   <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>Authenticated Users Only Area</realm-name>
   </login-config>
...

If you aren't working with a server that supports CLIENT-CERT, your second option is to not use the normal authentication mechanism and go back to checking authentication manually, as you did in Hour 12. If you use an SSL-enabled servlet engine such as Tomcat, you might be able to access the client's certificate by accessing the javax.servlet.request.X509Certificate attribute in the request object.

The idea is that you keep a database of valid certificate numbers, and when a user accesses your site, you check the certificate number against the list of valid numbers. If the numbers match, you allow the user in. Because a trusted certificate authority digitally signs the certificates, it is almost impossible to forge a certificate.

Listing 23.10 shows a segment of code that accesses the client's certificate.

Listing 23.10 Code to Access a Client Certificate

    X509Certificate cert = (X509Certificate) request.
        GetAttribute("javax.servlet.request.X509Certificate");

    if (cert != null)
    {
        String serialNumber = cert.getSerialNumber().toString();
        String issuer = cert.getIssuerDN().getName();

// validate the serialNumber/issuer against a valid list here...
    }

The serial number alone is not necessarily unique. The serial number is required to be unique for only a single certificate authority. For extra safety, you should check both the serial number and the name of the certificate issuer to make sure that you have the correct certificate.