Re: pass on X509 certificate to reverse-proxy backend

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Today at 4:12pm, HR=>Haroon Rafique <haroon.rafique@xxxxxxxxxxx> wrote:

HR> [..snip..]
HR> 
HR>         <Location /rxp>
HR>             Order allow,deny
HR>             Allow from all
HR>             SSLVerifyClient optional
HR>             SSLVerifyDepth 3
HR>             SSLOptions +StdEnvVars +ExportCertData
HR>             # pass-on to proxied internal web application
HR>             RequestHeader set SSL_CLIENT_S_DN       "%{SSL_CLIENT_S_DN}s"
HR>             RequestHeader set SSL_CLIENT_I_DN       "%{SSL_CLIENT_I_DN}s"
HR>             RequestHeader set SSL_SERVER_S_DN_OU    "%{SSL_SERVER_S_DN_OU}s"
HR>             RequestHeader set SSL_CLIENT_VERIFY     "%{SSL_CLIENT_VERIFY}s"
HR>         </Location>
HR> 
HR> Upon request /rxp, I get the prompt for "Choose a certificate to present as
HR> identification". (I have a eToken "smart card" with a cert inside it).
HR> Hitting OK or Cancel at this point takes me to the requested page (since
HR> client cert is optional).
HR> 
HR> For further processing, I need to give the backend glassfish server the
HR> ability to extract the X509 certificate from the request. Is that possible?
HR> Typically, on the backend you can use (e.g., java) to extract the certs:
HR> 
HR> X509Certificate[] certs = (X509Certificate[])
HR> request.getAttribute("javax.servlet.request.X509Certificate");
HR> 
HR> The problem is that there is no cert in the request (certs is always null).
HR>

Thought I would post a follow-up. I got a chance to put a break-point in 
the backend server and looks like even though the above code returns 
null certs, I do have some information in the request headers (due to the 
RequestHeader set .... lines in httpd.conf). So, it won't be a seamless 
fit right into the security infrastructure of the backend, but I believe I 
can see, e.g., SSL_CLIENT_S_DN, by invoking 
request.getHeader("SSL_CLIENT_S_DN");
and that should at least get me started on the right track.

Hope this helps someone. If someone has any other ideas, please keep them 
coming.

Cheers,
--
Haroon Rafique
<haroon.rafique@xxxxxxxxxxx>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux