Home/ Questions/Q 6078811
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T10:52:31+00:00

I’m using Restlet 2.0.8 with Simple set up as such: component = new Component();

  • 0

I’m using Restlet 2.0.8 with Simple set up as such:

    component = new Component();
    component.getClients().add(Protocol.FILE);
    Server httpsServer = component.getServers().add(Protocol.HTTPS, 444);

    Series<Parameter> parameters = httpsServer.getContext().getParameters();

    File pwd = new File(".");
    String path = pwd.getCanonicalPath();
    String keystorePath = path + "/keystore/keypair.jks";

    parameters.add("SSLContextFactory", "org.restlet.ext.ssl.PkixSslContextFactory");
    parameters.add("keystorePath", keystorePath);
    parameters.add("keystorePassword", "xxx");
    parameters.add("keyPassword", "xxx");
    parameters.add("keystoreType", "JKS");
    parameters.add("threadMaxIdleTimeMs", "60000"); //default idle time
    parameters.add("needClientAuthentication", "true");

    // Guard the restlet with BASIC authentication (encrypted under SSL).
    ChallengeAuthenticator guard = new ChallengeAuthenticator(null, ChallengeScheme.HTTP_BASIC, "xxx");

    //new pagerreceiver
    Restlet resty = new PagerReceiverApplication();

    LoginChecker loginVerifier = new LoginChecker();
    guard.setVerifier(loginVerifier);
    guard.setNext(resty);
    component.getDefaultHost().attachDefault(guard);

    overrideStatus statusService = new overrideStatus();
    component.setStatusService(statusService);

    component.start();

The SSL works just fine, but it accepts any connection at all whether they have a client certificate or not ! Just what is going here exactly, and am I missing something?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    For a while, until this patch in the Simple Framework (rev. 1785), Simple was always using “want client authentication”, without any way to configure it either way (“need” or “nothing”).

    For this reason, the needClientAuthentication parameter of the Simple Restlet connector was never supported, because the Restlet connector itself had no way to change this behaviour.

    As far as I’m aware the change in Simple rev. 1785 only removes any form of client authentication (no “need” or “want”). I’m not sure whether Restlet 2.0.8 uses a release of Simple that was before before or after this patch, but to date, there doesn’t seem to be anything to provide this support.

    There were discussions on the Simple mailing list on this topic here:

    There are a few workarounds:

    • Use a different connector than Simple for your Restlet application. The other ones should support needClientAuthentication.
    • Keep using wantClientAuthentication (providing it’s the pre-patched version Simple) and check whether there is indeed a certificate, otherwise forbid the request. (I think this is the way IIS does it, even when it “requires” a certificate.)

    As a side note, looking at your code, I’m not sure why you’d want to insist on the client presenting both a client-certificate and HTTP basic authentication credentials. Basic auth. on top of client-cert seems a bit overkill.

    • 0