1 Reply Latest reply on Jun 12, 2004 12:25 AM by jtorres

    Apache 2.0.49 + mod_jk2 + JBoss 3.2.4 + Mutual Authenticatio

    jtorres

      JBoss version: 3.2.4 (on Windows Server 2003)
      Apache version: 2.0.49 (Linux)
      Java Version: 1.4.2_04

      I have successfully configured Apache to communicate with JBoss with and without SSL. With Mutual Authentication setup between the HTTP Clients and Apache2, assuming the client is authenticated, access to the resources within JBoss is successful as well.

      The Issue:
      Within JBoss, I have a JSP that needs access to the client's certificate information. I'm using the following code:

      <%@page import="java.security.*,java.security.cert.*"%>
      
      <%
      try {
       if (request.isSecure()) {
       out.println("Client Request is secure<br>The following is the DN from your certificate:<br>");
       java.security.cert.X509Certificate[] certs = (java.security.cert.X509Certificate[])
       request.getAttribute("javax.servlet.request.X509Certificate");
       if (certs != null) {
       X509Certificate clientCert = certs[0];
       if (clientCert != null) {
       // Get the Distinguised Name for the user.
       Principal userDN = clientCert.getSubjectDN();
       out.println("User DN: "+userDN);
       out.println("<br>");
       } else {
       out.println("<br>Client Cert is null");
       }
       } else {
       out.println("<br>There are no client certificates available");
       }
       } else {
       out.println("Client request is <b>not</b> secure...no X509Certificate to inspect.");
       }
      
      
      } catch (Throwable t) {
       out.println("Caught Throwable:");
       t.printStackTrace();
      }
      
      %>
      


      The
      request.isSecure()
      returns true; however, no certificate is returned.

      Has anyone else encountered this issue? I'd settle with accessing the certificate information via HTTP Headers, but could not find information on this.

      TIA! :)


        • 1. Re: Apache 2.0.49 + mod_jk2 + JBoss 3.2.4 + Mutual Authentic
          jtorres

          Well, finally figured this out. In Apache's httpd.conf, the following SSL Directive must be added:

          SSLOptions +ExportCertData
          


          So, for example, I have a Location setup within Apache to require client authentication for a URI within JBoss. I am self-signing, and only need to verify my self-signed clients. Here is the httpd.conf entry:

          httpd.conf

          <Location "/test/">
           SSLVerifyClient require
           SSLVerifyDepth 1
           SSLOptions +ExportCertData
           SSLCipherSuite HIGH:MEDIUM
          </Location>
          


          workers2.properties
          # Map the Tomcat examples webapp to the Web server uri space
          [uri:/test/*]
          group=lb
          


          That's it...you'll then have access to the client certificate information using the following (in this example, a JSP):
          <%@page import="java.security.*,java.security.cert.*"%>
          
          <%
          try {
           if (request.isSecure()) {
           out.println("Client Request is secure<br>The following is the DN from your certificate:<br>");
           java.security.cert.X509Certificate[] certs = (java.security.cert.X509Certificate[])
           request.getAttribute("javax.servlet.request.X509Certificate");
           if (certs != null) {
           X509Certificate clientCert = certs[0];
           if (clientCert != null) {
           // Get the Distinguised Name for the user.
           Principal userDN = clientCert.getSubjectDN();
           out.println("User DN: "+userDN);
           out.println("<br>");
           } else {
           out.println("<br>Client Cert is null");
           }
           } else {
           out.println("<br>There are no client certificates available");
           }
           } else {
           out.println("Client request is <b>not</b> secure...no X509Certificate to inspect.");
           }
          
          
          } catch (Throwable t) {
           out.println("Caught Throwable:");
           t.printStackTrace();
          }
          
          %>