Secure API JAX-RS API with ssl certificate over Jetty Server
Jax-RS REST API with
Jetty Server in my Java 8 application. I am new to securing the
.pem file (certificate) in some path.
I want to use this certificate to validate the incoming request API.
Can someone point me a working example that how to validate APIs with
Is there any way that I can validate only single API and not all.
SSL/TLS based authentication of a client certificate occurs very early in the connections/conversation with an HTTP server.
In java it happens entirely within the JVMs SSLEngine layer.
Basically like this (simplified)
- Client connects to port 443
- Jetty accepts the connection
- Jetty tests to see what kind of traffic it is
- Jetty sees that it's encrypted and sends the traffic through the JVM SSLEngine layer.
- TLS negotiates encryption (JVM code)
- TLS negotiates client certificate (JVM code)
- Connection is established (JVM code)
- Jetty reads the decrypted traffic on the connection and starts to parse the request
- Jetty creates the request object and dispatches to the web app.
- Web app (your REST layer) now handles the request and produces a response.
By the time the request reaches your API the client certificate has already been verified / validated by the TLS layer.
You will only ever receive requests that satisfy that layer.
You have the optional feature
SecureRequestCustomizerthat will include Request attributes that contains information from TLS layer, by way of the JVM's post-negotiated TLS layer.