I am trying to write a Web Service test and it needs to connect to a Web Service using a client certificate. I have already set up a server that accepts client certificates and it works correctly when using a .NET client application.
The client certificate works as an authentication mechanism together with spring security plugin, therefore i need a way to write a client that can use my custom certificate when performing a request.
Now i am trying to write an integration test for testing this service but i cannot find any mean to attach client certificate when performing a request. I have thried wsclient for groovy, ws-lite for groovy and even cxf for java. Still no luck.
Is there any way that i can attach my own, custom client certificate to web service client request?
You can use HttpBuilder, specifically look here: http://groovy.codehaus.org/modules/http-builder/apidocs/groovyx/net/http/AuthConfig.html
Related
I'm working on a very simple REST API using the Quarkus framework. I'd like to use client authentication, but after a few tries I eventually found the what I'm trying to achieve doesn't seem possible out of the box.
The API is dockerized and published on an azure app service environment. Unfortunately, I can't get the azure load balancer to talk to my app via SSL. Azure App Services passes the client certificate as a base64 payload in a header field dubbed X-ARR-ClientCert.
Maybe I'm missing some very important piece of knowledge here. Is there any way to leverage the TrustStore and Trust / accept the client certificate straight from the header field?
Should I implement my own Security Identity Provider for doing so
extracting the Certificate from the header
create a Security Identity instance
I am making a program all written in Java. Server is Spring Boot RESTful and client is an desktop app made with JavaFX that uses Apache HttpClient library to communicate to the server. Now I need to secure it with SSL/TLS. I am interested in the implementation itself and also whether a self signed certificate is enough since the program will be used only in LAN.
I want to host REST APIs over https. REST web services will be written in java probably using spring framework.
These web services will be accessed by java clients (not web browsers), probably using org.apache.http lib.
I am not getting clear picture of working with SSL certificates.
My questions are -
What configurations will be required to host REST web services over "https"?
What configurations will be required at client side for accessing these "https" URIs?
Do I need to buy trusted SSL certificate for REST server or open java keygen will do?
Do I need the same/different certificate copy on REST client too?
No particular configuration, you just need https activated.
No particular configuration, you just need to take care to use libs that check the certificate.
If you write the client, you can use a self signed one, and customize the client to check if it's your certificate. If anybody can write a client, it's better to have a publicly trusted certificate. WARNING : the free let's encrypt certificate are NOT trusted by java !
Why do you want a certificate on your client ?
Side note: if your API is publicly accessible, I strongly advise you do NOT redirect http to HTTPS but instead makes HTTP systematically answer an error. If you don't do so, a developer that use by mistake the http will NOT see the error and that will create security risks.
I've been working on access management solution for an application (Java EE).
Here is what I have currently: In the application I have a filter that checks whether specific HTTP headers are set and authenticates the user based on these values. The application is never exposed directly to the users, but deployed behind Apache HTTPD that performs SSL client certificate verification. In case verification passes it rewrites some data from certificate to HTTP headers and send request to the JK worker that is handled by application server (JBoss).
What I'd like to do reuse the mechanism described above to be able to deal with alternative methods of pre-authentication. For instance I need SAML so I was wondering about implementing a component that would handle SSO (using SAML or OpenID) then set the HTTP headers (like above) and forward request for processing to JBoss. How that differs from the current implementation described above is that the new authentication mechanism would be implemented in Java rather than as another Apache module.
My questions is how to handle communication from one Java EE application to another Java EE application in the same way Apache HTTPD and Tomcat/JBoss communicates using AJP? Is there any service like that in JBoss?
Similar question I've just managed to find: Is there an implementation of AJP protocole in Java?
I am looking for a Java based REST server which support following authentication mechanism. Also please let me know the best resources for the REST based authentication
Token
Certificate
Kerberos
Oauth
Open Id
I am an architect from WSO2... so my reply could be biased...
You can use the open source WSO2 Application Server to deploy your RESTful services and WSO2 Identity server has the support for 2-legged OAuth...
Thanks...
Partial answer for method 2) Certificate:
If you're planning on using certificates for authentication, I must assume that the API will be consumed by a limited number of trusted client applications. I've recently developed and deployed a REST API for internal use within an organization, and we use server-client certificates for authentication. This solution delivers a really high level of security, but is very impractical to use in an externally exposed API. This post gives some information: Java HTTPS client certificate authentication.
Any Java container should support these with either:
Apache / IIS as a reverse proxy deployed for SSO (Single Sign On)
Authentication plugins