We have a Rest API that requires client certificate authentication. The API is used by this collection of python scripts that a user can run. To make it so that the user doesn’t have to enter their password for their client certificate every time they run one of the scripts, we’ve created this broker process in java that a user can startup and run in the background which holds the user’s certificate password in memory (we just have the javax.net.ssl.keyStorePassword property set in the JVM). The scripts communicate with this process and the process just forwards the Rest API calls to the server (adding the certificate credentials).

To do the IPC between the scripts and the broker process we’re just using a socket. The problem is that the socket opens up a security risk in that someone could use the Rest API using another person’s certificate by communicating through the broker process port on the other person’s machine. We’ve mitigated the risk somewhat by using java security to only allow connections to the port from localhost. I think though someone in theory could still do it by remotely connecting to the machine and then using the port. Is there a way to further limit the use of the port to the current windows user? Or maybe is there another form of IPC I could use that can do authorization using the current windows user?

We’re using Java for the broker process just because everyone on our team is much more familiar with Java than python but it could be rewritten in python if that would help.

Edit: Just remembered the other reason for using java for the broker process is that we are stuck with using python v2.6 and at this version https with client certificates doesn’t appear to be supported (at least not without using a 3rd party library).