This content has been marked as final.
Show 1 reply
-
1. Re: Apache 2.0.49 + mod_jk2 + JBoss 3.2.4 + Mutual Authentic
jtorres Jun 12, 2004 12:25 AM (in response to jtorres)Well, finally figured this out. In Apache's httpd.conf, the following SSL Directive must be added:
SSLOptions +ExportCertData
So, for example, I have a Location setup within Apache to require client authentication for a URI within JBoss. I am self-signing, and only need to verify my self-signed clients. Here is the httpd.conf entry:
httpd.conf<Location "/test/"> SSLVerifyClient require SSLVerifyDepth 1 SSLOptions +ExportCertData SSLCipherSuite HIGH:MEDIUM </Location>
workers2.properties# Map the Tomcat examples webapp to the Web server uri space [uri:/test/*] group=lb
That's it...you'll then have access to the client certificate information using the following (in this example, a JSP):<%@page import="java.security.*,java.security.cert.*"%> <% try { if (request.isSecure()) { out.println("Client Request is secure<br>The following is the DN from your certificate:<br>"); java.security.cert.X509Certificate[] certs = (java.security.cert.X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate"); if (certs != null) { X509Certificate clientCert = certs[0]; if (clientCert != null) { // Get the Distinguised Name for the user. Principal userDN = clientCert.getSubjectDN(); out.println("User DN: "+userDN); out.println("<br>"); } else { out.println("<br>Client Cert is null"); } } else { out.println("<br>There are no client certificates available"); } } else { out.println("Client request is <b>not</b> secure...no X509Certificate to inspect."); } } catch (Throwable t) { out.println("Caught Throwable:"); t.printStackTrace(); } %>