I have a requirement of restricting access of a web application (public url available on www) & allowing it to specified set of clients.
Application details as follows:
Technology Used – JSP / Java EE
Deployed on – IBM Webshpere
My problems are:
01. Can this be achieved through client side SSL certificate?
02. Any mechanism of pulbic key / private key technics availble for this
03. Whether these techniques are dependant on browsers type
Client certificates are standardized in the servlet spec, so yes this is absolutely possible. You specify CLIENT-CERT in your web.xml file.
You will need to set up the keys in WebSphere's keystore (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/rsec_csiv2cca.html) but this is a proprietary procedure for different containers.
Client certificates are public/private keys, so that should meet your requirement.
There shouldn't be any browser issues, other than giving the users different instructions for different browsers to set up their certificates.
It's in the Java EE spec but has its own problems implementing it. These articles show how to enable and solutions to common issues that arise in such an authentication schema.
