I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
Related
I'm working on a very simple REST API using the Quarkus framework. I'd like to use client authentication, but after a few tries I eventually found the what I'm trying to achieve doesn't seem possible out of the box.
The API is dockerized and published on an azure app service environment. Unfortunately, I can't get the azure load balancer to talk to my app via SSL. Azure App Services passes the client certificate as a base64 payload in a header field dubbed X-ARR-ClientCert.
Maybe I'm missing some very important piece of knowledge here. Is there any way to leverage the TrustStore and Trust / accept the client certificate straight from the header field?
Should I implement my own Security Identity Provider for doing so
extracting the Certificate from the header
create a Security Identity instance
I have a Servlets/JSP based traditional Java MVC web application on Tomcat server, I want to implement PKI certificate based authentication. In which user doesn't have to provide the login credentials. Here is the basic requirements:
Admin issues the PKI certificate to the client,
Admin sends the PKI certificate to the client and adds it to the PKI Cert Store,
Client adds the certificate to the browser, and
Whenever client clicks on Login button on the application, the application fetches the browser certificate and authenticate the client from the PKI Cert Store.
Please suggest how to proceed with this kind of requirement.
First you set up SSL/TLS at the Tomcat server level.
Then you use a security framework at the webapp level to enforce the SSL client certificate (X.509) authentication requirement on specific URL paths (or patterns of) such as the login URL. One such commonly used library which allows flexible configuration of client certificate authentication is Spring Security, with which you can use either a XML configuration file or Java annotations in your webapp to get what you want. On the documentation link about X.509 authentication, you also have the necessary SSL setup instructions for Tomcat.
You may find another way to do client certificate authentication natively in Tomcat using some configuration in the webapp deployment descriptor (web.xml) and in Tomcat realm configuration (e.g. tomcat-users.xml), but it is quite tedious and far less flexible.
I am trying to write a Web Service test and it needs to connect to a Web Service using a client certificate. I have already set up a server that accepts client certificates and it works correctly when using a .NET client application.
The client certificate works as an authentication mechanism together with spring security plugin, therefore i need a way to write a client that can use my custom certificate when performing a request.
Now i am trying to write an integration test for testing this service but i cannot find any mean to attach client certificate when performing a request. I have thried wsclient for groovy, ws-lite for groovy and even cxf for java. Still no luck.
Is there any way that i can attach my own, custom client certificate to web service client request?
You can use HttpBuilder, specifically look here: http://groovy.codehaus.org/modules/http-builder/apidocs/groovyx/net/http/AuthConfig.html
I have to write a java program that hits a url
https://localhost:8443/ping.jsp
over ssl and returns the response whether the application is up or not. If I hit that url manually from my web browser it asks for security certificates and when I provide them it communicates with the application and displayes the response on the web page. I want to automate this process so that the java program takes care of providing the security certificates and everything. I could do it if it were not for ssl and security certificates but I am not sure how to automate this part (providing certificates).
I have truststore/keystore files but I am not sure how to use them in order to accomplish the task. Any ideas or any useful links that I should follow ?
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins