Secure API JAX-RS API with ssl certificate over Jetty Server

I have Jax-RS REST API with Jetty Server in my Java 8 application. I am new to securing the REST API. I have .pem file (certificate) in some path. I want to use this certificate to validate the incoming request API. Can someone point me a working example that how to validate APIs with ssl certificate? Is there any way that I can validate only single API and not all.

1 answer

  • answered 2022-05-06 21:13 Joakim Erdfelt

    SSL/TLS based authentication of a client certificate occurs very early in the connections/conversation with an HTTP server.

    In java it happens entirely within the JVMs SSLEngine layer.

    Basically like this (simplified)

    1. Client connects to port 443
    2. Jetty accepts the connection
    3. Jetty tests to see what kind of traffic it is
    4. Jetty sees that it's encrypted and sends the traffic through the JVM SSLEngine layer.
    5. TLS negotiates encryption (JVM code)
    6. TLS negotiates client certificate (JVM code)
    7. Connection is established (JVM code)
    8. Jetty reads the decrypted traffic on the connection and starts to parse the request
    9. Jetty creates the request object and dispatches to the web app.
    10. Web app (your REST layer) now handles the request and produces a response.

    By the time the request reaches your API the client certificate has already been verified / validated by the TLS layer.

    You will only ever receive requests that satisfy that layer.

    You have the optional feature SecureRequestCustomizer that will include Request attributes that contains information from TLS layer, by way of the JVM's post-negotiated TLS layer.

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum