SECTION: 400-Security
TITLE: Client Certificates
QUESTION: How do I use Client Certificate Authentication?
<p>This is an overview of how to configure Jetty's SSL listener to require
client certificates. There are only two steps:
<ol>
<li>Configure Jetty to use SSL. See for example <a href="SslListener.html">
Using Jetty and JSSE</a>. Be sure to test the plain SSL configuration before
turning on client certificates.
<li>Configure the SSL listener to require client certificates. You have already
configured a SunJsseListener to get SSL to work at all. Add a <Set/> tag
to the configuration that sets NeedClientAuth to "true". The new tag is the
last set in the example below:
<pre>
<Call name="addListener">
<Arg>
<New class="org.mortbay.http.SunJsseListener">
<Set name="Port">8443</Set>
<Set name="MinThreads">5</Set>
<Set name="MaxThreads">255</Set>
<Set name="MaxIdleTimeMs">50000</Set>
<Set name="Password">secretPassword</Set>
<Set name="KeyPassword">verySecretPassword</Set>
<Set name="NeedClientAuth">true</Set>
</New>
</Arg>
</Call>
</pre>
</ol>
<p>Just as when you configured the plain SSL listener,
you may now access the SSL port with a URL like:
<Code>https://yourhost:8443/Dump</Code>
<P>If you get an javax.net.ssl.SSLException, check that you have
remembered the s in https. Depending on your browser, you may see a dialog
that asks which key the browser should send to the server. If the browser cannot
provide JSSE with an acceptable user certificate, JSSE will drop the connection
and not allow the user to proceed. Depending on the user's browser, the dropped
connection may produce either a completely blank (white) screen or an error
page.
<P>
Jetty also supports optional user certificates, where encountering a
INTEGRAL or SECURE data constraint will request an SSL renegoatiation.
Currently the RI of JSSE does not appear to support this, but other SSL
implementations may.
<p>Note that:
<ul>
<li>The standard SSL port is 443. If the listener specifies this port, then
the URL need not contain a port specification.
<li>There is no standard port for SSL with client authorization other than the
overall standard SSL port 443. Thus if you want to run two SSL ports under your
Jetty server, one with client certificates and one without, you will need to
configure two SSL listeners and run at lease one of them on a non-standard port
such as 8443.
</ul>
<p>The listener configuration above causes Jetty to add the certificate array obtained
from the SSL listener, to the current HTTP request object under
key javax.servlet.request.X509Certificate. This is a necessary condition for a
web application that uses client-cert authentication via an entry in its web.xml
file similar to
<Code><login-config><auth-method>CLIENT-CERT</auth-method></login-config>
</Code>
However, this entry is not sufficient for client-certificate authentication within
a web application, as the certificates must be checked against a UserRealm implementation.
The UserRealms provided with jetty do not provide any certificate handling.
<!-- RWS Greg - is the last sentence correct? -->
Within the JBoss J2EE server, the CLIENT-CERT auth method causes JBoss to save
the certificate chain as the credential associated with the request. A custom
written login module (JBoss currently includes no standard client-cert login
module) can map this certificate chain into the appropriate list of J2EE roles.
<p>Note that the object stored under request key javax.servlet.request.X509Certificate
(or the JBoss certificate credential) is always an array of objects of class
java.security.cert.X509Certificate. Per the Javadoc documentation for
SSLSession.getPeerCertificates(), index #0 of this array is always the user's
certificate. It is not clear if there is any way to configure JSSE or the browser
to return anything other than the user's certificate. For most applications it
seems prudent to use cert[0] only and not depend on the presence of anything
else in the certificate chain.
<h3> Environment and version information</h3>
<p>This procedure was tested with Jetty embedded in JBoss 3.0.3. Jetty and JBoss
were compiled using Sun's JDK 1.4.1.
<p>
<font size="-1">
Written by R.W. Shore, 31-Oct-2002.<br>
</font>
