I have a requirement where the user will use a smart card (Token) connected to his PC. When he accesses the web site I need to authenticate the user by reading certificate information from the smart card, and then verify this data with a DB. If information is right login the user; else show error message or certificate .
We use an SSL(HTTPS) connection authenticated by a CA different from the CA used with the smart card.
How can I do that in Java?
Your description of the intended authentication process shows an unusual weakness. The certificate holds the public key with some additional data like user name etc., i. e. completely consists of public data. Typically instead the user applies her private key to generate a signature and you verify the signature using the public key from the certificate, which has the advantage, that by generating the signature the card indirectly proves, that the user knows the PIN required for the private key and also prevents replay attacks. Also a database entry for the certificate is not necessary, since you could use something like card number from the certificate. (You might need the record for other information like associated user roles, however).
User needs to pre-register his public key (or say certificate which contains public key) with the portal. Then at the time of login / authentication, user signs authtoken (say "UserID|Password") using his private key in smartcard or usb token on browser side and send the request with authtoken and signed token to server. On server, use user's registered public key to verify signed token, if signature verification is successful, user may be allowed access to portal.
On browser side, you may use signing Javascript APIs from Digital Signing Browser Extension
