SSL / TLS two-way authentication on Rest web service

I'm going to expose my situation. I have a REST application running on Apache Tomcat 7.0. The question is, do I want to authenticate and create client roles on the rest of the API server so that users can take some action or not. Client authentication and roles will be determined by the SSL / TLS client certificate that clients must send to the server.

Strategy:

  • Rest Client application sends request to server.
  • The client, besides sending actions in the post request, is sending its own SSL / TLS certification (I don't know how to do this).
  • Rest Web Service receives this request from the client, processes it, and uses an SSL / TLS certificate to determine the client's role to answer whether the action request is allowed or not.

Is it possible? Can anyone help with some tutorials or other posts?

+1


source to share


1 answer


We have adopted HMAC authentication in our REST services. Well read: http://www.thebuzzmedia.com/designing-a-secure-rest-api-without-oauth-authentication/



-3


source







All Articles