拦截并转发客户端证书到Web服务 [英] Intercepting and forwarding client certificate to webservice
问题描述
我有一个运行在tomcat应用服务器上的web应用程序(gwt)。该Web应用程序使用多种Web服务(登录,应用程序数据传输,查询等)。 Tomcat上的Web服务客户端实现为apache axis2 Web服务客户端。
对于用户登录,我使用用户名和密码在Web应用程序中提供表单。这些数据通过网络服务传输以认证用户。
计划将漏洞验证机制更改为基于客户端验证的验证。身份验证仍应在Web服务提供商一方完成。
所以我的系统有三个相关的组件:web客户端,tomcat应用程序服务器和web服务提供者。
应用程序的每个用户都有自己的私有客户端证书(PKI令牌,X.509- Auth证书)。当用户连接到Web应用程序时,他的证书被请求。
如何转发客户端证书以用于Web服务? (tomcat不会负责认证)。
1。)有没有办法截取请求并提取客户端证书发生认证错误?
我发现一些关于Servlet Filters的信息过滤器听起来真的不错,但我不确定在证书对tomcats keystore进行验证之前,在何处执行它以截取证书。
2。)如果可能的话,我如何才能将客户端证书传递给Web服务?
谢谢阅读
不,不是真的。真正用于身份验证的部分是与证书关联的私钥,而不仅仅是证书本身。而且,通常情况下,您无法从Web客户端中检索它。因此,您无法将从Web客户端收到的凭据真正传递到Web服务客户端。证书本身是随时可用的,但没有相应的私钥就没有用处。
I have a web application (gwt) that is running on a tomcat application server. This web application consumes several web services (login, application data transfer, queries, etc.). The web service client on the tomcat is implemented as apache axis2 web service client.
For user log on I provide a form in the web application with username and password. This data are transmitted via web service to authenticate the user.
It is planned to change the hole authentication mechanism to client certificated based authentication. The authentication still should be done on the web service provider side. So my system has three relevant components: the web client, the tomcat application server and the web service provider.
Every user of the application has its own private client certificate (PKI Token, X.509- Auth-Cert). When the user connects to the web application his certificate is requested.
How can I forward the client certificates for use in the web services? (The tomcat will not be responsible for authentication).
1.) Is there a way to intercept the request and extract the client certificates before authentication error occurred? I found some information about Servlet Filters what sounds really good, but I’m not sure where to implement it to intercept the certificates before they are verified against tomcats keystore.
2.) If it is possible, how can I pass after the client certificate to the web service?
Thank you for reading
No, not really. The real piece used in authentication is the private key associated with the certificate, not just the certificate itself. And, typically, you have no way of retrieving that from the web client. Therefore, you cannot really pass-through the credentials you receive from a web client on to the web service client. The certificate itself is readily available, but is useless for authentication without the corresponding private key.
这篇关于拦截并转发客户端证书到Web服务的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
