Thanks Michele and Derek..nice post , i am looking exactly the same :)

On Wed, Jul 25, 2012 at 4:09 AM, Michele Comitini <
michele.comit...@gmail.com> wrote:

>
> This is very similar to what TSL accomplishes with x509 certificates.
>  There is a slight difference, the server does not own a public key for
> each client: it verifies that the  client owns an x509 certificate signed
> by the correct certification authority. So no need to store public keys.
>  in any case AFAIK in public/private key algorithms the private key always
> allows generation of the corresponding public key, not the contrary of
> course.
>
> To accomplish what you need in the simplest way you have to:
>
> - create a certification authority with self signed certificate
> - create certificate for you webserver signed with the private key of the
> certification authority above.
> - configure your webserver to require a client certificate (with rocket
> look at --ca-cert option)
> - In case you need to know some infos about the connecting client as
> reported in its certificate you can use x509_auth.py to use x509
> authentication and configure your REST action with @auth.requires_login().
>  This will give you access to  information contained in the certificate
> such common name or serial id.  To customize you can extend the X509_Auth
> class.
>
> To generate test certificates fast you can use simpatica as Derek
> correctly suggests.
>
> mic
>
> Il giorno martedì 24 luglio 2012 10:33:48 UTC+2, Amit ha scritto:
>
>> Hi,
>> I have to provide public/private key authentication for accessing web
>> service (REST) from client in my web2py application.How to achieve it?
>>
>> Scenario:
>> 1.Each client will have unique private key which will be sent to the
>> server alongwith request.
>> 2. Server has to authenticate private key using public key(unique for
>> each client) and then allow to access the web service method. For e.g.
>> suppose one client say X has requested for web service "add()" so server
>> has to first validate the public key with client's private key and if
>> validation is successful then allow to access the web service "add()".
>>
>> Challenges:
>> where to store public key of each client?we can't store it in the db
>> because server can't access db before validation of web service method.So
>> will it be store somewhere in PC(where server is running)?if yes then how
>> and which format?
>>
>>
>> NOTE: Here Server will be completely written in web2py and client is
>> separate application running on the hardware device.
>>
>>  --
>
>
>
>

-- 



Reply via email to