Restricting access of a Web application using public key/ private key techniques

I have a requirement of restricting access of a web application (public url available on www) & allowing it to specified set of clients.

Application details as follows:

Technology Used – JSP / Java EE

Deployed on – IBM Webshpere

My problems are:

01. Can this be achieved through client 开发者_StackOverflow社区side SSL certificate?

02. Any mechanism of pulbic key / private key technics availble for this

03. Whether these techniques are dependant on browsers type

---

Client certificates are standardized in the servlet spec, so yes this is absolutely possible. You specify CLIENT-CERT in your web.xml file.

You will need to set up the keys in WebSphere's keystore (http://publib.boulder.ibm.com/infocenter/wasinfo/v6r0/index.jsp?topic=/com.ibm.websphere.nd.multiplatform.doc/info/ae/ae/rsec_csiv2cca.html) but this is a proprietary procedure for different containers.

Client certificates are public/private keys, so that should meet your requirement.

There shouldn't be any browser issues, other than giving the users different instructions for different browsers to set up their certificates.

---

It's in the Java EE spec but has its own problems implementing it. These articles show how to enable and solutions to common issues that arise in such an authentication schema.