如何使用用户的证书?
我无法理解使用证书的一般方案。 例如:我在某个网站上有帐户。我有名称和密码。我应该做什么才能登录该网站? - 我应该打开_https://website:443/login并填写字段,如果一切正常,我将获得准入。
现在,我想使用 java + httpclient(apache) 以编程方式执行这些步骤。 我已经写过:
client = new DefaultHttpClient();
client.getParams().setParameter(ClientPNames.COOKIE_POLICY,
CookiePolicy.BEST_MATCH);
client.setCookieStore(new BasicCookieStore());
client.getCredentialsProvider()
.setCredentials(new AuthScope(ADDRESS, new Integer(PORT)),
new UsernamePasswordCredentials(USERNAME, USERPWD));
我应该使用服务器的证书创建 trustStore:
System.setProperty("javax.net.ssl.trustStore", "./KeyStore/myca");
其中“myca”是用“InstallCert.java”(Sun 的产品)制作的。
但我想以编程方式执行所有这些步骤,例如浏览器(FFox 或 Opera)导入服务器的证书...用户只想仅使用我的应用程序,而不是一组附加应用程序。
我怎样才能执行它?
现在,主要问题是:为什么服务器不需要用户的证书?我如何使用自己的证书进行身份验证? (如果我有用户证书,我将不需要“名称”“密码”来登录服务器?)
I can't understand general scheme using certificates.
For example: I have account on the some website. I have name and password. What should I do to login to this site? - I should open _https://website:443/login and fill out fields, and if all is ok, I'll obtain admittance.
Now, I would like to perform these steps programmatically usin java + httpclient(apache).
I've written:
client = new DefaultHttpClient();
client.getParams().setParameter(ClientPNames.COOKIE_POLICY,
CookiePolicy.BEST_MATCH);
client.setCookieStore(new BasicCookieStore());
client.getCredentialsProvider()
.setCredentials(new AuthScope(ADDRESS, new Integer(PORT)),
new UsernamePasswordCredentials(USERNAME, USERPWD));
And I should create trustStore with server's certificate:
System.setProperty("javax.net.ssl.trustStore", "./KeyStore/myca");
where 'myca' were made with 'InstallCert.java' - Sun's product.
But I would like to perform all this steps programmatically, like Browser(FFox, or Opera) import server's certificate...User just want to use only my application, not a set of additional application.
How can I do perform it?
And now, the main problem: why do servers not require user's certificate? And how do I can use my own certificate to authenticate? (If I have user's certificate I will not need 'name''password' to login to server?)
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
服务器不需要用户证书,因为大多数用户没有用户证书,现在不知道它是什么以及如何获得它。即使他们愿意,获得这样的证书要么很困难,要么很昂贵,所以很多用户都不会获得。
因此,任何需要客户端证书的服务器都会使用户数量减少 1000 倍。大多数服务器所有者不希望这样。
取决于您的要求。需要证书+用户名/密码将被视为两因素身份验证,这是一种更强的保护形式,然后只需要一个因素。如果要求某种生物特征识别,它会变得更加强大。
究竟执行什么?您正在谈论“以编程方式”做事,但您已经提供了代码......?
这应该在服务器的配置中完成。您需要设置一个包含信任根证书的信任存储+需要在 ssl 配置中进行客户端身份验证。例如,在此处搜索 clientauth。
Servers do not require user certificates, because most users don't have one, don't now what it is and how to get one. And even if they would, such a certificate is either difficult or expensive to obtain, so many user won't get one.
So any server requiring a client certificate would reduce the number of users probably by a factor of 1000. Most server owners don't want that.
Depends on your requirements. Requiring a certificate + username/password would be considered a two factor authentication, which is a stronger form of protection, then just requiring one factor. It would get even stronger by asking for some kind of biometric identification.
Perform exactly what? You are talking about doing things "programmatically", but you already present code ...?
This should be done in the configuration of your server. You need to setup a trust store containing the trustet root certificates + require client authenticatication in the ssl configuration. e.g search here for clientauth.