[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-users
Subject: Re: [users@httpd] pass on X509 certificate to reverse-proxy backend
From: Haroon Rafique <haroon.rafique () utoronto ! ca>
Date: 2009-11-27 3:04:45
Message-ID: Pine.LNX.4.64.0911262157590.17817 () haroon ! sis ! utoronto ! ca
[Download RAW message or body]
On Today at 4:12pm, HR=>Haroon Rafique <haroon.rafique@utoronto.ca> wrote:
HR> [..snip..]
HR>
HR> <Location /rxp>
HR> Order allow,deny
HR> Allow from all
HR> SSLVerifyClient optional
HR> SSLVerifyDepth 3
HR> SSLOptions +StdEnvVars +ExportCertData
HR> # pass-on to proxied internal web application
HR> RequestHeader set SSL_CLIENT_S_DN "%{SSL_CLIENT_S_DN}s"
HR> RequestHeader set SSL_CLIENT_I_DN "%{SSL_CLIENT_I_DN}s"
HR> RequestHeader set SSL_SERVER_S_DN_OU "%{SSL_SERVER_S_DN_OU}s"
HR> RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
HR> </Location>
HR>
HR> Upon request /rxp, I get the prompt for "Choose a certificate to present as
HR> identification". (I have a eToken "smart card" with a cert inside it).
HR> Hitting OK or Cancel at this point takes me to the requested page (since
HR> client cert is optional).
HR>
HR> For further processing, I need to give the backend glassfish server the
HR> ability to extract the X509 certificate from the request. Is that possible?
HR> Typically, on the backend you can use (e.g., java) to extract the certs:
HR>
HR> X509Certificate[] certs = (X509Certificate[])
HR> request.getAttribute("javax.servlet.request.X509Certificate");
HR>
HR> The problem is that there is no cert in the request (certs is always null).
HR>
Thought I would post a follow-up. I got a chance to put a break-point in
the backend server and looks like even though the above code returns
null certs, I do have some information in the request headers (due to the
RequestHeader set .... lines in httpd.conf). So, it won't be a seamless
fit right into the security infrastructure of the backend, but I believe I
can see, e.g., SSL_CLIENT_S_DN, by invoking
request.getHeader("SSL_CLIENT_S_DN");
and that should at least get me started on the right track.
Hope this helps someone. If someone has any other ideas, please keep them
coming.
Cheers,
--
Haroon Rafique
<haroon.rafique@utoronto.ca>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic