Hi all
I Have an Apache Web Server v2.2.14 which is used as a front-end for a Tomcat Server v5.5. The connector between servers is mod_jk v1.2.28.
So the Tomcat Server is behind the Apache Server, itself behind an IPS (Intrusion Prevention System). The IPS is in a DMZ, and HTTPS/SSL is enabled only in this area. So there is NO HTTPS/SSL nor on Apache or on Tomcat.
The users of my application authenticate with an x509 certificate contained in a USB device. The SSL mutual authentication is done by the IPS. After that, all is in HTTP.
What I want is to get the client's certificate on Tomcat, to perform further business check in my application.
The only thing that I know is that, after mutual SSL authentication, the IPS put the client certificate in the HTTP header with the value "X-SSL_CLIENT_CERT".
My questions are :
1/ is Apache able to forward the client's certificate to Tomcat, even there is no HTTPS on Apache and Tomcat ? (maybe using JkEnvVar ?)
2/ the value "X-SSL_CLIENT_CERT" to store the cert in http header : is it standard ? is there a difference with "SSL_CLIENT_CERT" ? If not standard, this could be modified.
3/ Ideally, is there a way with Apache to put the client's certificate as a request attribute "javax.servlet.request.X509Certificate" ? (because I use Spring Security in my app, and X509 authentication with Spring Security uses request.getAttribute("javax.servlet.request.X509Certificate") to get the cert and authenticate)
PS1 : I would have run some tests myself, but I have to write quickly a specification without having all I need to test if what I write is good :(
PS2 : Sorry if my english is bad because I'm french...
Thanx in advance
Stieuma
