tags:

views:

600

answers:

1
+1  Q: 

WebLogic 8.1 two-way SSL authentication on a web app full example?

Does anybody has a WebLogic 8.1 two-way SSL full example?

I am developing a small web application (1 HTML, 1 Servlet, 1 JSP) to send confidential data. The client could be a web browser. The server is WebLogic 8.1.

The information should travel encrypted. Besides, the web application needs to authenticate the client, using more than a username/password combination. I thought implementing using HTTPS and two-way SSL authentication. This way, the user should send me her certificate, I installed in the server, so the web application could know when it is sending information.

Now, I know how to use declarative authorization in a web application, but I am lost on how specify which users I recognize, and which are their certificates.

I just need a full example of this. A .war and/or the steps to do the basic case.

+1  A: 

I don't think you'll find a full example easily and the question is a bit broad. But the link your provided is a very good starting point.

First configure Two-Way SSL and use CLIENT-CERT. Clients will need to buy a trusted client certificate or to generate a self-signed certificate that you'll need to add to the server trust store. This may be the hardest part if you're not familiar with PKI but I've added resources at the end of this answer that cover this part. Load the client certificate in each client browsers.

Second, configure an Identity Assertion provider to map the digital certificate of a Web browser to a user in a WebLogic Server security realm. If required, provide your own user name mapper or use the default one (which uses the attributes from the subject DN of the digital certificate or the distinguished name to map to the appropriate user in the WebLogic Server security realm).

Third, add users corresponding to the Subject's Distinguished Name (SubjectDN) attribute in the client's digital certificate in Weblogic Security Realm and assign them to groups.

Finally, use these groups in your declarative authorizations.

Sure, it won't be that easy if everything is new but that's basically what you need to do. Maybe start to implement it and open more specific questions if you need more guidance.

More resources:

Pascal Thivent  2010-02-05 00:43:25

related questions

RSS feeds from Gallery2
User authentication on Resin webserver
Recommendation for straight-forward python frameworks
Why no favicon for my web site?
Preferred way to use favicons?
IE6: To support or not to support.
FF3 WinXP != FF3 Ubuntu - why?
Source control for web projects.
Drag and drop ftp file upload web widgets
Accessing post variables using Java Servlets
Anyone have experience creating a shared library in MATLAB?
The Difference Between a DataGrid and a GridView in ASP.NET?
Options for Google Maps over SSL
Is there an Unobtrusive Captcha for web forms?
How can I detect if a browser is blocking an popup?
How to curl or wget a web page?
What Hosting Service is best for Django applications?
What are some web-based knowledge-base solutions?
What is a good web-based Grid that accepts Excel clipboard data?
What's the best online payment processing solution?
What are effective options for embedding video in an ASP.NET web site?
How can I tell if a web client is blocking ads?
How do I make a checkbox toggle from clicking on the text label as well?
Can you recommend a good CSS online resource or book?
Class views in Django