two way SSL/TLS authentication in a Rest Web Servi

2019-07-25 13:02发布

问题:

I am going to expose my situation. I have a REST application running on Apache Tomcat 7.0. The question is that I want to authenticate and create client roles on the rest API server in order to allow users make some actions or not. The authentication and roles of clients will be determined by the SSL/TLS client certificate that clients have to send to the server.

Strategy is:

  • a Rest Client application sends a request to the server.
  • Client apart from sends actions on the post request, sends his own SSL/TLS certification (I don't know how).
  • Rest Web Service receives this request from the client, process it and determines with SSL/TLS certificate the client role, in order to answer if the action request is allowed or not.

Is this feasible? Can anybody help with some tutorials or other posts?

回答1:

We adopted HMAC authentication in our REST services. Good read: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/