0 Replies Latest reply: Mar 22, 2011 11:09 AM by 849422 RSS

    Implementing client-cert auth in web.xml in Oracle Application Server

    849422
      Hi,

      I am new to implementing security features on the web applications.. I have developed a new web service using jdev1012 and deployed in OAS 10.1.2. Its working fine according to the business requirements, but I am in need of implementing client-cert authentication to enable the web service available to only those who have client certificate.

      My server details are:

      Oracle Application Server 10g Release 2 (10.1.2)
      Server certificate is in place and SSL mode have been already enabled.. able to access my web service through https://<mydomain.com>/myws/TreqWS as well able to see the WSDL file through https://<mydomain.com>/myws/TreqWS?WSDL.

      I tried to include the following in my web.xml file as part of implementing CLIENT-CERT authentication.
      <security-constraint>
      <display-name>SecurityConstraint</display-name>
      <web-resource-collection>
      <web-resource-name>WSCollection</web-resource-name>
      <url-pattern>/*</url-pattern>
      </web-resource-collection>
      <user-data-constraint>
      <transport-guarantee>CONFIDENTIAL</transport-guarantee>
      </user-data-constraint>
      </security-constraint>
      <login-config>
      <auth-method>CLIENT-CERT</auth-method>
      <realm-name>WSCollection</realm-name> <!-- am not sure about this realm-name and its purpose -->
      </login-config>

      It is not woking as expected, though I have restarted my oc4j container after including this content to the web.xml file. i.e, I am able to invoke the web service though my sample java client program, though I donot have client certificate/keystore.

      I believe I am missing something..Can anyone help me in this regard to implement CLIENT-CERT authentication successfully?

      Thanks,
      Ms