Reputation: 1071
User authentication with no password but certificate instead?
in my application there is existing authentication mechanism which accepts username and password. What I need is a secure way to login as the given user without the password. Let's say I have a REST API and a trusted source-Java app using it. One way would be to allow such access from trusted IP addresses, but that's not enough. What would be the best way to do it? E.g. some trusted certificate that the client up must use. The goal is basically to authenticate as the given user from an internal application without the password. We assume that this is trusted application that should be allowed to do it, but still we need to somehow grant that trust and be able to verify it. Any help appreciated. Thank you
Upvotes: 0
Views: 350
Answers (1)
Reputation: 1318
You can of course use TLS client certificates for authenticating HTTPS access to your server. At the server-side you have implement some scheme to map the client certificate's subject name (DN) to some name or ID you're using for authorization.
Furthermore you need update procedures for the certificate in place, just like with server certificates. You should automate this and have certificate expiry monitoring in place.
An alternative might be looking into OAuth 2.0.
Upvotes: 1
Related Questions
- Basic Auth over HTTPS Java
- How to do basic http authentication in JAVA with login credentials and ssl certificate?
- Java: how to add SSL client-side authentication
- Certificate based authentication
- Combine username/password login with certificate in Spring Security
- Java Manual Client Certificate Authentication
- How would you implement a secure static login credentials system in Java?
- SSL authentication in Java as Server/client model
- Self signed Certificate Based Authentication
- Java certificate based authentication