We are working on a JSP/Servlet development project, and we want to use the client-side authentication features of SSL -So, assuming we configure SSL on the web server (Netscape by the way) to require a digital certificate from the client, I am wondering can I get access to the client certificate from within my J2EE-compliant application Server, and perhaps do some processing with the certificate. So my questions:
1) Can the HTTPRequest object (or any other object) get access to the client-side certificate when it arrives at the web server?
2) If yes, is this technique web server dependent, or is there a standard within J2EE and Servlet engines?
3) In what format does the client-side digital certificate get transmitted from the client browser to the web server - Is it effectively a multi-part file-upload, or are the attributes of the certificate transmitted individually?
4) Do web servers generally have plug-ins to LDAP servers so as to vaildate the clients' certificates, or is it the case that the J2EE application server is used for this vailidation with LDAP?
Getting access to the certificate via the Java application server is essential for us (I think) as we want to "tie" a username and password to a digital certificate.
Any help/advice/experiences in this area would be greatly appreciated.
Thanks in advance