0

I'm using Restlet 2.0.8 with Simple set up as such:

    component = new Component();
    component.getClients().add(Protocol.FILE);
    Server httpsServer = component.getServers().add(Protocol.HTTPS, 444);

    Series<Parameter> parameters = httpsServer.getContext().getParameters();

    File pwd = new File(".");
    String path = pwd.getCanonicalPath();
    String keystorePath = path + "/keystore/keypair.jks";

    parameters.add("SSLContextFactory", "org.restlet.ext.ssl.PkixSslContextFactory");
    parameters.add("keystorePath", keystorePath);
    parameters.add("keystorePassword", "xxx");
    parameters.add("keyPassword", "xxx");
    parameters.add("keystoreType", "JKS");
    parameters.add("threadMaxIdleTimeMs", "60000"); //default idle time
    parameters.add("needClientAuthentication", "true");

    // Guard the restlet with BASIC authentication (encrypted under SSL).
    ChallengeAuthenticator guard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "xxx");

    //new pagerreceiver
    Restlet resty = new PagerReceiverApplication();

    LoginChecker loginVerifier = new LoginChecker();
    guard.setVerifier(loginVerifier);
    guard.setNext(resty);
    component.getDefaultHost().attachDefault(guard);

    overrideStatus statusService = new overrideStatus();
    component.setStatusService(statusService);

    component.start();

The SSL works just fine, but it accepts any connection at all whether they have a client certificate or not ! Just what is going here exactly, and am I missing something?

user705142
  • 461
  • 5
  • 18

1 Answers1

1

For a while, until this patch in the Simple Framework (rev. 1785), Simple was always using "want client authentication", without any way to configure it either way ("need" or "nothing").

For this reason, the needClientAuthentication parameter of the Simple Restlet connector was never supported, because the Restlet connector itself had no way to change this behaviour.

As far as I'm aware the change in Simple rev. 1785 only removes any form of client authentication (no "need" or "want"). I'm not sure whether Restlet 2.0.8 uses a release of Simple that was before before or after this patch, but to date, there doesn't seem to be anything to provide this support.

There were discussions on the Simple mailing list on this topic here:

There are a few workarounds:

  • Use a different connector than Simple for your Restlet application. The other ones should support needClientAuthentication.
  • Keep using wantClientAuthentication (providing it's the pre-patched version Simple) and check whether there is indeed a certificate, otherwise forbid the request. (I think this is the way IIS does it, even when it "requires" a certificate.)

As a side note, looking at your code, I'm not sure why you'd want to insist on the client presenting both a client-certificate and HTTP basic authentication credentials. Basic auth. on top of client-cert seems a bit overkill.

Bruno
  • 119,590
  • 31
  • 270
  • 376
  • Damn, I thought that might be the case - restlets documentation doesn't mention this -at all-, which is rather terrible - it suggests that both needClientAuthentication and wantClientAuthentication work just fine. I'm not exactly sure what version of Simple it's using either - ideally I need client authentication from the beginning, I'd rather use the Jetty connector anyway, but it seems to have a rather major bug stopping me from using it which I'll make another post about. – user705142 Jun 27 '11 at 07:02
  • http://stackoverflow.com/questions/6489667/restlet-2-0-8-with-the-jetty-connecter-doesnt-resume-ssl-sessions-while-the-sim – user705142 Jun 27 '11 at 07:11