'Re: [users@httpd] pass on X509 certificate to reverse-proxy backend'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-users
Subject:    Re: [users@httpd] pass on X509 certificate to reverse-proxy backend
From:       Haroon Rafique <haroon.rafique () utoronto ! ca>
Date:       2009-11-27 3:04:45
Message-ID: Pine.LNX.4.64.0911262157590.17817 () haroon ! sis ! utoronto ! ca
[Download RAW message or body]

On Today at 4:12pm, HR=>Haroon Rafique <haroon.rafique@utoronto.ca> wrote:

HR> [..snip..]
HR> 
HR>         <Location /rxp>
HR>             Order allow,deny
HR>             Allow from all
HR>             SSLVerifyClient optional
HR>             SSLVerifyDepth 3
HR>             SSLOptions +StdEnvVars +ExportCertData
HR>             # pass-on to proxied internal web application
HR>             RequestHeader set SSL_CLIENT_S_DN       "%{SSL_CLIENT_S_DN}s"
HR>             RequestHeader set SSL_CLIENT_I_DN       "%{SSL_CLIENT_I_DN}s"
HR>             RequestHeader set SSL_SERVER_S_DN_OU    "%{SSL_SERVER_S_DN_OU}s"
HR>             RequestHeader set SSL_CLIENT_VERIFY     "%{SSL_CLIENT_VERIFY}s"
HR>         </Location>
HR> 
HR> Upon request /rxp, I get the prompt for "Choose a certificate to present as
HR> identification". (I have a eToken "smart card" with a cert inside it).
HR> Hitting OK or Cancel at this point takes me to the requested page (since
HR> client cert is optional).
HR> 
HR> For further processing, I need to give the backend glassfish server the
HR> ability to extract the X509 certificate from the request. Is that possible?
HR> Typically, on the backend you can use (e.g., java) to extract the certs:
HR> 
HR> X509Certificate[] certs = (X509Certificate[])
HR> request.getAttribute("javax.servlet.request.X509Certificate");
HR> 
HR> The problem is that there is no cert in the request (certs is always null).
HR>

Thought I would post a follow-up. I got a chance to put a break-point in 
the backend server and looks like even though the above code returns 
null certs, I do have some information in the request headers (due to the 
RequestHeader set .... lines in httpd.conf). So, it won't be a seamless 
fit right into the security infrastructure of the backend, but I believe I 
can see, e.g., SSL_CLIENT_S_DN, by invoking 
request.getHeader("SSL_CLIENT_S_DN");
and that should at least get me started on the right track.

Hope this helps someone. If someone has any other ideas, please keep them 
coming.

Cheers,
--
Haroon Rafique
<haroon.rafique@utoronto.ca>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic