[android-developers] Android Webview Client Certificate, Mutual Auth, SSL over Webview
I have a Webpage which requires Mutual auth to load the page.
I get onReceivedError() with ERROR_FAILED_SSL_HANDSHAKE. In the logs "Could not establish a secure connection" is printed by Webkit.
I have searched extensively but could not find an answer. There are several posts but nothing conclusive.
I tried all 3 solutions posted here :- http://stackoverflow.com/a/15590041/340068
The solution likely to work was :-
Solution 1:
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
So i modified the android.jar to include the internal API for overriding onReceivedClientCertRequest()
But i am not getting the callback at runtime. Same is the case with any third party browser. I tried loading the same webpage in a standard browser. I got a callback on UI asking the User to select a Client certificate.
So seems that only system browser app can get the callback for onReceivedClientCertRequest() from Webkit.
In case of iOS platform, Webview cannot directly load the site too . But making an HTTPS Connection using NSURL ,
keeps the Client certificate in memory for some time and Webview can load this page successfully.
On Android i have successfully setup HTTPS communication by registering an SSLSocketFactory loading Client and Server certificates.
I can do REST API calls using that.However unlike iOS, i cannot find a way in which Android webview can use the Client certificate for Mutual auth.
I think having Mutual auth over a Webview should be supported by the platform as one of the basic requirements for security. Is there any update on this issue ?
-- I get onReceivedError() with ERROR_FAILED_SSL_HANDSHAKE. In the logs "Could not establish a secure connection" is printed by Webkit.
I have searched extensively but could not find an answer. There are several posts but nothing conclusive.
I tried all 3 solutions posted here :- http://stackoverflow.com/a/15590041/340068
The solution likely to work was :-
Solution 1:
use ClientCertRequestHandler anyway (It's marked as hidden, but apparently still usable):
So i modified the android.jar to include the internal API for overriding onReceivedClientCertRequest()
But i am not getting the callback at runtime. Same is the case with any third party browser. I tried loading the same webpage in a standard browser. I got a callback on UI asking the User to select a Client certificate.
So seems that only system browser app can get the callback for onReceivedClientCertRequest() from Webkit.
In case of iOS platform, Webview cannot directly load the site too . But making an HTTPS Connection using NSURL ,
keeps the Client certificate in memory for some time and Webview can load this page successfully.
On Android i have successfully setup HTTPS communication by registering an SSLSocketFactory loading Client and Server certificates.
I can do REST API calls using that.However unlike iOS, i cannot find a way in which Android webview can use the Client certificate for Mutual auth.
I think having Mutual auth over a Webview should be supported by the platform as one of the basic requirements for security. Is there any update on this issue ?
You received this message because you are subscribed to the Google
Groups "Android Developers" group.
To post to this group, send email to android-developers@googlegroups.com
To unsubscribe from this group, send email to
android-developers+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/android-developers?hl=en
---
You received this message because you are subscribed to the Google Groups "Android Developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to android-developers+unsubscribe@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
posted by twitter @ 4:31 AM
0 Comments
0 Comments:
Post a Comment
Subscribe to Post Comments [Atom]
<< Home