I have been developing a web application using java and I wanted to use implement mutual certificate authentication.
I used a self-signed certificate, I put it on my browser(chrome) and to my glassfish trust store(cacerts.jks) and configure my web.xml and sun-web.xml and works fine.
When I run the application it asked me to choose a certificate and after the proper authentication the page I requested is displayed.
However I need to make different certificate(actually three) and based on the role I want to authorize the user.
But even if I created other two certificates and added to the browser certificate list, the browser didn't list them on the certificate selection prompt except for the first certificate.
It seems that I am adding the certificate to the wrong version of glassfish trust store(cacerts.jks) now everything is working fine. The browser lists all certificate I added and authorize correctly according to the role.
Related
First of all i am sorry if this question is not valid, i am dealing with a situation where i have created the SSL certificate locally and its signed by local CA.
My frontend application is in angular and my backend application is in Spring boot when i try to connect to login from the UI then i need to add this certificate manually for that i had given a link button by clicking of that i will load the backend api in the browser
After this a popup will be open and the backend api will be loaded ,
then manually i need to click on the "Advance" and then proceed to unsafe . After all these steps certificate are getting added in the browser.
Can anyone suggest how to add this automatically without all these manual work.
You can use below configurations to enable self signed certificate on differernt browser. Although remember, this is not for PRODUCTION
Firefox : Go to URL https://localhost:<port_no> and add security exception to allow connections. If connection error still comes, Go to URL about:config and set value for security.mixed_content.block_active_content to false and security.mixed_content.block_display_content to true.
Chrome : Go to URL chrome://flags/#allow-insecure-localhost and click on Enable and restart Chrome to allow connections.
IE 10 and above : Go to URL https://localhost:<port_no> and add the certificate to Trusted Root Certification Authoritiesif certificate error comes.
You'll need to get a new Valid SSL Certificate. This might help
Hi i am new to security domain. So please let me know if i am missing something very obvious.
I am trying to create an application that runs on https and requires a SSL certificate.
i followed the this blog to create a ssl certificate and add it to the java security cacerts.
Now i want to create a https post request to this application. The request fails every time. What i found till now is
The certificate is not verified, thats why it is not authorizing the rest call to proceed.
When i open the application in browser, it asks me to confirm the certificate, once i accept it, all rest calls start working.
Can any one tell me what can i do to avoid this(confirming the certificate.)
1. Can i bypass the ssl certificate check ?
2. Can i add certificate to every rest call.
3. Anything else that i should try.
4. I saw looking at this grails plugin, how do i create a .jks file ?
Ay help will be appriciated.
You can't bypass the certificate check on the clients' side. A very important point of having a certificate at all is for it to be signed by a trusted authority. If you have signed it yourself, you can still have an encrypted connection, but the clients can't know you're verified by a trusted third party.
You can configure the application or web server to use the keystore that your certificate is in in order to attach it to every https request. Look up tomcat ssl configuration.
I would advise that you read up a bit more on https and certificates, it's important to understand some details.
It's preferable that you delegate the ssl management to the application server instead of doing that in your rest calls yourself. See 2. Also, a .jks is just a keystore file. You already have one from the tutorial you've followed.
I have java web application which is running on several tomcats behind apache. Application use HTTPS protocol. Some pages from the app include images from sites which use only HTTP protocol. On pages with this images the client's web browser shows message (warning) that despite service is certified correctly some contents are not secure.
What should I do to avoid this message? Should I use some proxy for this images? Can I do something in java code?
Thanks in advance.
You can't do anything nor should you.
The browser is correct in warning the user even though there are no bad intentions here.
Using a proxy could be useful if you're really worried. In that case, the unencrypted connection is between your server and the hosts of the images instead of between the hosts and the user's browser.
Nothing you can do in java.
You need to register your certificate at some official certification authority, you can do that through the registration authorities.
A registration authority (RA) is an authority in a network that
verifies user requests for a digital certificate and tells the
certificate authority (CA) to issue it.
Google it. Of course you'll pay for that.
Also, you can avoid that browser message if manually add your certificate into Trusted Certificate on client machine.
Is there a way to force client certificate authentication only on a particular part of a web application, i.e. some servlet that handles client certificate authentication?
The clientAuth parameter on server.xml set to 'true' or 'want' works for me, but is inconvenient because it prompts the user to choose a certificate in any part of the application.
On the other hand, I tried setting clientAuth to 'false', and using web.xml to enforce security only on a specific servlet. It worked, but this is limited to the users specified in the tomcat-users.xml file, hence other users' certificates are not authorized to the servlet by tomcat.
I need to be able to restrict client certificate authentication to a particular url of my application, while accepting any certificate (trusted, or even not), for authentication and provisioning purposes (the servlet basically reads the information from any certificate, the application decides what to do).
I know there are similar questions like [1], but I did not find the answer that suits these particular needs. Thanks a lot.
[1] Using CLIENT-CERT for Tomcat without specifying a username
ssl is a network layer works below https. So you cannot control it in a serlvet.
The only way is to deploy your webapp in a non-ssl web server. When a servlet (or other resources) need SSL client auth, just redirect to an https url (the same site with https port, or another site).
I have a swing application deployed in HTTP Server. Users use the browser to point an URL and install the client using java webstart. Now I need to enable https access to my application deployed on HTTP server. I am using JDK 1.5 as default jdk supported in the jnlp file. For time being I use a self signed certificate to the sign the jars (by default created using Sun's jarsigner, keytool, etc, utils).
Solution/steps would be much appreciated.
Thanks in advance
Ramesh
As far as I understand your question you don't need to change anything to your code of the client. If you only want to give access to the JNLP via HTTPS you would only need to reconfigure the application server distributing the JNLP or if you have a webserver in front of the application server (as we do here: user - https -> apache -> AJP -> tomcat) you need to reconfigure the webserver to allow the access to the JNLP via HTTPS.
You need to enable HTTPS on the web server. To get the certificate you need to provide credentials and the host name of the server to a certificate authority (CA) like VeriSign or Thawte. They can provide you with a server certificate signed by their root certificate or some intermediate certificate. This certificate must then be imported into the web server to enable HTTPS over SSL. The web clients, like a browser or webstart will then verify the certificate chain when accessing the server.
If you use a self signed jar, all your users will be presented with a warning message about potentially unsafe code. To avoid this you should get a code signing certificate from a CA, which would be somewhat similar to the web server certificate. This CA-provided certificate can be imported into the keystore and used in the same way you use the self signed certificate. The code signing certificate will be signed by the CA so that the certificate chain can be verified by webstart.
What is the feature of https that you are hoping to leverage?
The signing/server authentication is done by code signing, though you are undermining this using a self-signed certificate.
Does your application code contain secrets that must be hidden from eavesdroppers?
As you say you "need to enable" there must be an underlying reason.
I believe that before you "need https" you need a proper code signing certificate. You might want to rephrase your question so that your underlying problem can be solved instead of the very specific question.