Reputation:
How to extracts additional info from SSL certificate to allow access to WebService client on WAS
For explaining my situation, I will start with an example.
Let's say there are two WS(WebService) clients A & B with trusted certificates. Now in normal excecution when both A & B make a call to WAS(Websphere application server) through SSL where my WebServices reside, WAS trusts both of them because of their trusted certificates and alows access to required WS.
What we like to have is to allow only A not B to access WS on WAS, so after certificates verification is it possible to extracts user info (from WAS admin or Java way)which will be mapped to role defined in WAS for accessing WS
Upvotes: 2
Views: 617
Answers (1)
Reputation: 7316
Sounds like rather than programming this into the application you could just use a revocation model instead. SSL was designed so that a certificate authority (presumably you in this case) could revoke certificates, so why not use that instead?
It's difficult to give you any concrete advice without knowing what platform you're on or how you're doing all your SSL connections and such, but setting up a central CA that signs all the certs that go out and maintaining a revocation list sounds like it would work just fine. You wouldn't need to add anything to the application either (other than dropping non-valid SSL connections).
Upvotes: 2
Related Questions
- JAVA Webservice certificate Configuration
- How can I access to certificate information
- Connect to webservice with certificate from java
- Java WSDL Web Service Getting the client certificate
- Java Web Service Certifcate Checking
- Consuming a WebService over SSL in Java
- How to bypass certificate checking in a Java web service client
- Webservices client and ssl
- Consuming ssl-secured web service in web application
- get user info from a client certificate in a java web service context