Skip to main content

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] [List Home]
Re: [jetty-users] How to configure client certificate for mutual SSL auth with Jetty?

Joakim, thanks! The request.isSecure() call always returns true as long as I use SSL, no matter whether the client cert is passed or not. I will try to add a customizer to examine the client-cert. I had hoped to do so from some SecurityHandler or LoginService but not sure how that fits.

On Tue, Jan 6, 2015 at 5:25 AM, Joakim Erdfelt <joakim@xxxxxxxxxxx> wrote:
BTW, what does request.isSecure() return in your scenario?

For the server side to include the SSL level details in the servlet request object and attributes, you would need to have your server configured to actually include those details in the raw connection.

Eg:


  <!-- =========================================================== -->
  <!-- Create a TLS specific HttpConfiguration based on the        -->
  <!-- common HttpConfiguration defined in jetty.xml               -->
  <!-- Add a SecureRequestCustomizer to extract certificate and    -->
  <!-- session information                                         -->
  <!-- =========================================================== -->
  <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration">
    <Arg><Ref refid="httpConfig"/></Arg>
    <Call name="addCustomizer">
      <Arg><New class="org.eclipse.jetty.server.SecureRequestCustomizer"/></Arg>
    </Call>
  </New>

This adds a critical "org.eclipse.jetty.server.SecureRequestCustomizer" to the HttpConfiguration that the jetty-https.xml uses to establish its Connector.

Eg:


<Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector">

<!-- (snip) -- >

  <Call name="addConnectionFactory">
    <Arg>
      <New class="org.eclipse.jetty.server.HttpConnectionFactory">
        <Arg name="config"><Ref refid="sslHttpConfig" /></Arg>
      </New>
    </Arg>
  </Call>
  
</Configure>

Without this SecureRequestCustomizer, the details from the SSL level will never be placed into the Request object, and your servlet will not know that the request credentials.

For the complete list of what it does, just check the source.


--
Joakim Erdfelt <joakim@xxxxxxxxxxx>
Expert advice, services and support from from the Jetty & CometD experts

On Mon, Jan 5, 2015 at 11:56 AM, Wenlong Dong <wdong87@xxxxxxxxx> wrote:
BTW, what is the best way to retrieve the client-cert from the server-side please? I did the following. Is it the best way?
  protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
      X509Certificate[] certs = (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate");
Somehow request.getAuthType() returns null. Is it because authType is only set at HTTP layer but not TLS layer? Thanks!

On Mon, Jan 5, 2015 at 12:11 AM, Wenlong Dong <wdong87@xxxxxxxxx> wrote:
Christoph, thanks a lot for the quick reply! After enabling SSL debugging, I figured it out today. I also needed to call setTrustStorePath/setTrustStorePassword. Now it works fine.

On Mon, Jan 5, 2015 at 12:01 AM, Christoph Läubrich <laeubi@xxxxxxxxxxxxxx> wrote:
Can you show the whole stack trace? I suspect that your server does not trust the client cert. In that case the SSL connection fails. So you need to export the public certificate from your clients key store, import it in a (server) truststore and pass this to the context factory as a trust store.
_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users



_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


_______________________________________________
jetty-users mailing list
jetty-users@xxxxxxxxxxx
To change your delivery options, retrieve your password, or unsubscribe from this list, visit
https://dev.eclipse.org/mailman/listinfo/jetty-users


Back to the top