Hi, I have a client-server application where the server is a Java servlet running in Tomcat and the clients are Java applications. I now want to secure the data transfer and authenticate the clients that connect to the server.
I have set up Tomcat for SSL and created a self-signed certificate. I then modified the client code to use an https connection. The client can look at the certificate, but what would I have it check to verify it is authentic? My main question though, what would be the best way to have each client authenticate itself to the servlet? Should I hand out certificates of some sort to each client? If so, how do you create, send, and verify them in Java code? Or should I just use a user/password authentication and check it either at Tomcat or the servlet? Thanks a bunch, Mike Kellstrand
