Thanks Michele and Derek..nice post , i am looking exactly the same :) On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini < michele.comit...@gmail.com> wrote:
> > This is very similar to what TSL accomplishes with x509 certificates. > There is a slight difference, the server does not own a public key for > each client: it verifies that the client owns an x509 certificate signed > by the correct certification authority. So no need to store public keys. > in any case AFAIK in public/private key algorithms the private key always > allows generation of the corresponding public key, not the contrary of > course. > > To accomplish what you need in the simplest way you have to: > > - create a certification authority with self signed certificate > - create certificate for you webserver signed with the private key of the > certification authority above. > - configure your webserver to require a client certificate (with rocket > look at --ca-cert option) > - In case you need to know some infos about the connecting client as > reported in its certificate you can use x509_auth.py to use x509 > authentication and configure your REST action with @auth.requires_login(). > This will give you access to information contained in the certificate > such common name or serial id. To customize you can extend the X509_Auth > class. > > To generate test certificates fast you can use simpatica as Derek > correctly suggests. > > mic > > Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto: > >> Hi, >> I have to provide public/private key authentication for accessing web >> service (REST) from client in my web2py application.How to achieve it? >> >> Scenario: >> 1.Each client will have unique private key which will be sent to the >> server alongwith request. >> 2. Server has to authenticate private key using public key(unique for >> each client) and then allow to access the web service method. For e.g. >> suppose one client say X has requested for web service "add()" so server >> has to first validate the public key with client's private key and if >> validation is successful then allow to access the web service "add()". >> >> Challenges: >> where to store public key of each client?we can't store it in the db >> because server can't access db before validation of web service method.So >> will it be store somewhere in PC(where server is running)?if yes then how >> and which format? >> >> >> NOTE: Here Server will be completely written in web2py and client is >> separate application running on the hardware device. >> >> -- > > > > --
