SSL/TLS Client Authentication
In this topic, SSL/TLS (Secure Socket Layer/Transport Layer Security) Client Authentication and HTTPS Client Authentication are used interchangeably. HTTPS is essentially HTTP performed over a secure communication channel using SSL/TLS, which are protocols for negotiating and establishing an encrypted connection over TCP connections. HTTP Basic authentication happens at the protocol level, and form-based authentication happens at the application level (which is above the protocol level). HTTPS client authentication happens below the protocol level at the transport level.
HTTPS can use SSL/TLS in two ways:
• The first and most common way is to require only the server side of the SSL connection to use a certified public key from a server certification. This handles use cases in which the client wants to be certain it is talking to the intended server, but the server is willing to use a conventional authentication mechanism such as HTTP basic or form-based authentication if it needs to authenticate the client.
• The second way is to require both the server and client sides of the SSL connection to have certified public keys. In this case, the server identifies the client based on the client certificate used when establishing the SSL connection. This is also called mutual SSL authentication or 2-way SSL authentication. For Java EE web applications, this is called HTTPS client authentication.
HTTPS client authentication happens outside the HTTP protocol authentication mechanism (such as form-based authentication). However, HTTPS client authentication happens below the HTTP protocol. Therefore, it can remain transparent to the application code usage of HTTP (unlike form-based authentication). To do this, the user’s certificate and private key must be available to use when opening SSL connections. For Java applications, this can require setting Java system properties to communicate the necessary keystore properties to the protocol handlers.
In addition to host-based certificates, TrustedAuthFilter now supports trusting clients based on 2-way SSL certificates. In this case, the client certificate does not need to be mapped to a particular user; rather, it can simply be an additional credential (much like an invitation to a party or a club membership). This client certificate then provides the user identify. For additional information about using TrustedAuthFilter, see its Javadoc.