Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] getting hold of the client certificate during an encrypted websockets connection

With jetty 9.0.4, just cast to org.eclipse.jetty.websocket.servlet.ServletUpgradeRequest (new intermediary with 9.0.4)
It has a .getCertificates() call you can use.

Sorry about the javadoc being not yet updated, we are having some account access issues to our documentation server atm.
(Also the reason we haven't announced 9.0.4 yet)



--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Developer advice, services and support
from the Jetty & CometD experts


On Wed, Jun 26, 2013 at 11:26 AM, Erich Bremer <erich@xxxxxxxxxxx> wrote:
Hi Joakin,

    I see you had to revert the changes to WebSocketCreator.java.  Any ETA to have access to the client certificate ala WebSockets once again?  - Erich


On 06/10/13 1:45 PM, Joakim Erdfelt wrote:
I went ahead and created 2 bugzillas based on this...

WebSocketCreator.createWebSocket() should use servlet specific parameters

Make SSL client certificate information available to server websockets

As for the changes, either of these would be interface changes.
We are planning a next 9.0 release this week, so we'll see what it takes to get this implemented.


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Developer advice, services and support
from the Jetty & CometD experts


On Mon, Jun 10, 2013 at 10:24 AM, Erich Bremer <erich@xxxxxxxxxxx> wrote:
Hi Joakim,

    WebSocketCreator is how I made the modification for my program.  It required making a few more modifications in three other files, but it works fine.  The difficulty for me is having to make the changes each time Jetty get upgraded.  Yes, server-side is where I need it.  My Jetty server needs to get a handle on the cert to verify certain information.  Specifically, I've implemented WebID authentication for my project (http://www.ebremer.com/nexus/WebIDauthentication).  Without the server being able to associate the cert from the initial http session with it's upgraded websocket connection, things get confused.

Question (sort of related)
In WebSocketServerFactory, there is a line in the method acceptWebSocket:

    Object websocketPojo = creator.createWebSocket(sockreq,sockresp);

who's parameters are set a few lines before with:

        ServletWebSocketRequest sockreq = new ServletWebSocketRequest(request);
        ServletWebSocketResponse sockresp = new ServletWebSocketResponse(response);

where
    ServletWebSocketRequest and ServletWebSocketResponse are extended versions of UpgradeRequest and UpgradeResponse respectively, but, in the class definition for WebSocketCreator the method changes these parameters

    createWebSocket(UpgradeRequest req, UpgradeResponse resp);

Why create sockreq and sockresp as ServletWebSocketRequest and ServletWebSocketResponse just to cast them into UpgradeRequest and UpgradeResponse?  ServletWebSocketRequest actually stores the http request in a private variable, and that if exposed via a getter, could give access to the cert in the user-defined WebSocketCreator.

        - Erich

PS - any hope to get this cert support added in anytime soon, or should I just keep making the modifications?  - E




On 06/10/13 12:17 PM, Joakim Erdfelt wrote:
Interesting request.
Currently there is no support for that.

Wonder where a good place for that would be ...

Gut reaction is to make it available via the WebSocketCreator, letting you capture and hold onto it at websocket creation time.
That would make it server side specific functionality, which is what i think you intend.

Another option would be to expose the SSL details via the Session object, but what that would mean to the websocket-client implementation of Session I don't know (yet)


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Developer advice, services and support
from the Jetty & CometD experts


On Sun, Jun 9, 2013 at 8:40 AM, Erich Bremer <erich@xxxxxxxxxxx> wrote:
Hi,

    I have a case where I am encrypting a websockets connection and requiring a client give it's certificate during the initial http connection before upgrading to a encrypted WebSockets connection. What is the easiest way to get hold of the client certificate for a particular websockets connection?  I've only been able to do this by modifying the core Jetty code by passing the certificate to the websocket pojo in a modified websocketfactory.  I'm hoping there is an easier way, thanks!  - Erich
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users




_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
https://dev.eclipse.org/mailman/listinfo/jetty-users



Back to the top