1 Reply Latest reply on Feb 25, 2006 10:53 AM by Filippo

    CLIENT-CERT AUTH: is it really strong?

    Filippo Newbie

      My question rises from the fact that client is authenticated against a principal retrieved from the public certificate that the browser send in response to ObjectCallabck.
      Is it possible that a user could send this certificate even when he's not the real certifcate owner?
      I remember that security is based on digital sign of random hash sent by server and verified on server against the public certificate stored a in java store.
      But I cannot find this feature in the sources that manage client authentication in Jboss 4.0.3SP1 release.

      Any suggestion will be appreciated.
      thanks in advance