在Java Web应用程序CAC认证 [英] CAC authentication in a Java WebApp

问题描述

我看到有计算器上一些其他的Java和CAC职位。我与所有的这些东西一个初学者，我现在还在一个什么样的框架做的，凡在我心里去了。

我做了一个使用集体行动条款的Windows 7盒来验证谁想要进入他们的电脑的用户一个很大的组织工作。他们坚持的CAC他们在密码键盘和类型。

我的老板想改变我们的Java Webap，使得它不会使，如果他们有他们的CAC在他们的计算机上的用户进行认证。如果不是这样，他们会通过传统的LDAP登录。

我们正在使用WebLogic 11g和Java 6中。

从周围的Googling好像有两种做法：

1. 实现一个小程序来读取用户的CAC，并发送一个SSL证书到Web应用程序。




2. 实现Web服务器相互SSL认证，这将导致浏览器在CAC SSL证书发送到Web应用程序

我有我的选择是正确的评价？

哪种解决方案是更容易？

这将少些麻烦，从长远来看，更强大的？

我知道旁边没有关​​于SSL，这似乎在这两种解决方案是共同的。我发现，去在长约抽象的概念，一些SSL教程。谁能推荐一个很好的教程为我想干什么？

感谢很多提前任何信息或提示

史蒂夫

解决方案

  

  

1. 实现一个小程序来读取用户的CAC，并发送一个SSL证书到Web应用程序。


  

2. 实现Web服务器相互SSL认证，这将导致浏览器在CAC SSL证书发送到Web应用程序


  

您会想要做＃2。你真的不希望有与智能卡硬件/软件一塌糊涂。让OS做所有的工作。

我做这个IIS上，但一般，要实现这一点，你需要配置你的Web服务器需要客户端证书和信任的CAmod。您可能需要配置你的Web服务器发布到CAS它信任的客户。如果Win7的客户端具有由你信任的CA签署了客户端证书，客户端将尝试使用它。如果它是一个智能卡证书时，Windows会自动提示输入引脚的用户;你不必担心。如果用户键入正确的PIN，该证书将被发送到Web服务器，然后它应该能够与CA验证证书如果它是一个有效的证书，你的软件就可以解析证书中的字段和使用的值，以帮助用户进行身份验证（即，是否，尽管有一个有效的证书，用户实际上可以登录基于其名称/电子邮件地址/等等）。这取决于你如何从那里处理它。

您将有一个更容易的时间搞清楚了这一点，并找到信息，如果您忘记了用户使用智能卡或CAC，只是与你要使用客户证书进行身份验证的想法开始。通过创建一个自签名的CA证书考试开始。然后创建通过测试CA签名为你的web服务器的服务器证书和客户端证书添加测试CA证书作为客户端和服务器上受信任的根证书。然后尝试编写使用客户端证书来验证你的web服务器一个小的测试应用程序。一旦你的工作，你可以添加modCA，并试图拉出来的信息在CAC证书。

好运！

I saw that there were a few other Java and CAC posts on stackoverflow. I am a beginner with all of this stuff and I am still trying to a framework of what to do and where to go in my mind.

I am doing work for a big org that is using CACs with Windows 7 boxes to authenticate users who want to get into their PCs. They stick the CAC in their keyboard and type in a PIN.

My boss would like to alter our Java Webap such that it will not make the users authenticate if they have their CAC in their computer. If not, they will go through the traditional LDAP login.

We are using WebLogic 11g and Java 6.

From Googling around it seems like there are two approaches:

1. Implement an applet to read the user's CAC and send an SSL certificate to the webapp.

2. Implement "mutually SSL authentication" in the web server, which will cause the browser to send the SSL certificate on the CAC to the webapp

Do I have a correct appraisal of my options?

Which solution is easier?

Which will be less hassle, more robust in the long run?

I know next to nothing about SSL, which seems to be common in both solutions. I've found a few SSL tutorials that go on at length about abstract concepts. Can anyone recommend a good tutorial for what I want to do?

Thanks much in advance for any information or tips

Steve

解决方案

1. Implement an applet to read the user's CAC and send an SSL certificate to the webapp.

2. Implement "mutually SSL authentication" in the web server, which will cause the browser to send the SSL certificate on the CAC to the webapp

You will want to do #2. You don't really want to have to mess with smart card hardware / software. Let the OS do all that work.

I've done this on IIS, but generically, to implement this, you will need to configure your web server to require client certificates and to trust the DoD CAs. You may need to configure your web server to advertise to clients which CAs it trusts. If the Win7 clients have a client cert that is signed by a CA you trust, the client will attempt to use it. If it's a smartcard certificate, Windows will automatically prompt the user for the pin; you don't have to worry about that. If the user types the correct pin, the cert will be sent to your web server which should then be able to validate the certificate with the CA. If it's a valid certificate, your software can then parse the fields in the certificate and use the values to help authenticate the user (ie whether, despite having a valid certificate, the user is actually allowed to login based on their name / email address/ etc). It's up to you how to handle it from there.

You will have a much easier time figuring this out and finding information if you forget that the users are using a smartcard or a CAC, and just start with the idea that you're going to use client certificates for authentication. Start by creating a self-signed CA test cert. Then create a server cert for your webserver and a client-certificate signed by your test CA. Add the test CA cert as trusted root cert on the client and the server. Then attempt to write a small test app that uses the client cert to authenticate to your webserver. Once you have that working, you can add the DoD CA and try to pull the info out of a CaC certificate.

good luck!

这篇关于在Java Web应用程序CAC认证的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！