websphere 应用程序服务器 6.1 中的 j2ee 客户端身份验证支持
我正在尝试设置基于 Web 客户端证书的身份验证。 这是我的场景:- 我有 websphere 应用程序服务器 6.1。我有 Internet Explorer 作为网络客户端。我已通过选项 -> 内容选项卡 -> 证书 -> 导入在 Internet Explorer 中导入了证书。
在WAS6.1中,我已经标记启用了SSL并启用了全局安全性。我已在 SSL 证书和密钥管理 > 下指定了“客户端身份验证=支持” SSL 配置>节点默认SSL设置> WAS 控制台中的“保护质量 (QoP) 设置”。
在我的 Web 应用程序中,我在 web.xml 中指定了以下内容:-
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>your-0548c161e1Node01</realm-name>
</login-config>
当我部署应用程序并点击受保护的资源 URL 时,我期望 WAS 在提供后会要求提供客户端证书服务器证书;但我收到 http 错误代码 403。 我在系统输出日志中看到以下错误:- WebCollaborat A SECJ0056E:身份验证因原因失败
我正在点击应用程序 URL,如下所示:- https://localhost:9443/app/a.do
我的问题是:- i) WAS 6.1 支持客户端身份验证吗? ii)如果是这样,WAS 不应在上述场景中提示输入客户端证书。 iii) 即使没有,我不应该在日志中看到 SSL 握手失败吗?
I am trying to set up web client certificate based authentication.
Here is my scenario:-
I have websphere application server 6.1. I have internet explorer as web client. I have imported a certificate in internet explorer by option->content tab->certificate->import.
In WAS6.1, I have marked SSL enabled and global security enabled. I have specified "Client authentication=supported" under SSL certificate and key management > SSL configurations > NodeDefaultSSLSettings > Quality of protection (QoP) settings" in WAS console.
In my web application, I have specified following in web.xml:-
<user-data-constraint>
<transport-guarantee>INTEGRAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
...
<login-config>
<auth-method>CLIENT-CERT</auth-method>
<realm-name>your-0548c161e1Node01</realm-name>
</login-config>
When I deployed application and hit a protected resource URL, I was expecting that WAS will ask for client certificate after presenting server certificate; but instead I get http error code 403.
I see following error in system out log:-
WebCollaborat A SECJ0056E: Authentication failed for reason
I am hitting app URL like :- https://localhost:9443/app/a.do
My questions are:-
i) Does WAS 6.1 support client-auth ?
ii)If so, should not WAS should prompt for client certificate in above scneario.
iii) Even if it didn't, should not I see SSL handshake failures in logs?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(1)
支持的客户端身份验证意味着它仍然可能成功。
如果您想从客户端强制要求证书,则应指定“必需”。
WAS 确实支持客户端身份验证。
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html
这里是一个供您快速参考的片段
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html
HTH
曼鲁
Client authentication of supported implies it might still succeed.
If you want to mandate a certificate from the client you should be specifying "required".
WAS does support client authentication.
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html
Here is a snip for your quick reference
http://publib.boulder.ibm.com/infocenter/wasinfo/v6r1/topic/com.ibm.websphere.base.doc/info/aes/ae/usec_sslqualprotect.html
HTH
Manglu