Client Certificates
I would like to write a filter that accesses a client certificate attached to the servlet request without using a proxy server. And after three weeks of searching, I'm beginning to feel like it is not possible. Because every article I've found assumes the request was forwarded from a proxy server. So my questions are: Is it even possible? If it is, can someone point me in the right direction? Also, if it is possible, but strongly discouraged for security reasons, let me know that as well. I am not adverse to using a proxy server, especially if it is considered a "best practice". Thanks in advance Robert Egan -- *VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001* *1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320* *(617) 455-1425* www.vsolvit.com *VSolvit (We*Solve*it) *is an award winning technology services company that specializes in the areas of Geographic Information Systems and IT application development / database integration. *Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data Warehousing.* *CONFIDENTIALITY NOTICE:* This communication, including attachments, is for the exclusive use of addressee and may contain proprietary, confidential or privileged information. If you are not the intended recipient, any use, copying, disclosure, dissemination or distribution is strictly prohibited. If you are not the intended recipient, please notify the sender immediately by return email and delete this communication and destroy all copies.
Re: Client Certificates
Here is a filter that I am using to get the client certificates, the issue
I'm having is passing them along via the headers so they can be picked up
as CGI Environment Variables down the road. This does get me the
certificate information though. Just ignor the mutableRequest stuff as
that is what I was trying to use to put the information in the
RequestHeader, so there is another java file that does that.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
//import MutableHttpServletRequest;
public class SecurityFilter implements javax.servlet.Filter
{
@Override public void destroy()
{
}
@Override public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException
{
System.out.println("doFilter-Start.");
HttpServletRequest req = (HttpServletRequest) request;
//MutableHttpServletRequest mutableRequest = new
MutableHttpServletRequest(req);
X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate");
System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
//mutableRequest.putHeader("SSL_CLIENT_S_DN",
certs[0].getSubjectX500Principal().getName());
//mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
Integer.toString(certs.length));
//chain.doFilter(mutableRequest, response);
System.out.println("doFilter-Done.");
}
@Override public void init(FilterConfig filterConfig) throws
ServletException
{
}
}
On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
wrote:
> I would like to write a filter that accesses a client certificate attached
> to the servlet request without using a proxy server. And after three weeks
> of searching, I'm beginning to feel like it is not possible. Because every
> article I've found assumes the request was forwarded from a proxy server.
>
> So my questions are: Is it even possible? If it is, can someone point me in
> the right direction? Also, if it is possible, but strongly discouraged for
> security reasons, let me know that as well. I am not adverse to using a
> proxy server, especially if it is considered a "best practice".
>
> Thanks in advance
> Robert Egan
> --
> *VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
> *1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
> *(617) 455-1425*
> www.vsolvit.com
>
> *VSolvit (We*Solve*it) *is an award winning technology services company
> that specializes in the areas of Geographic Information Systems and IT
> application development / database integration.
>
> *Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
> Warehousing.*
>
> *CONFIDENTIALITY NOTICE:* This communication, including attachments, is for
> the exclusive use of addressee and may contain proprietary, confidential or
> privileged information. If you are not the intended recipient, any use,
> copying, disclosure, dissemination or distribution is strictly prohibited.
> If you are not the intended recipient, please notify the sender immediately
> by return email and delete this communication and destroy all copies.
>
Re: Client Certificates
Tim,
On 7/17/23 10:58, Timothy Ward wrote:
Here is a filter that I am using to get the client certificates, the issue
I'm having is passing them along via the headers so they can be picked up
as CGI Environment Variables down the road. This does get me the
certificate information though. Just ignor the mutableRequest stuff as
that is what I was trying to use to put the information in the
RequestHeader, so there is another java file that does that.
Robert can also probably ignore the comment about "CGI Environment
Variables" because all that is handled by the Servlet Container (Tomcat)
by placing the certificate and chain under this request attribute key:
javax.servlet.request.X509Certificate
Robert, if you read the Servlet API (it's not awful! I promise!) you'll
see what other things get put in there when client-certs are in use.
import java.io.IOException;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
//import MutableHttpServletRequest;
public class SecurityFilter implements javax.servlet.Filter
{
@Override public void destroy()
{
}
@Override public void doFilter(ServletRequest request, ServletResponse
response, FilterChain chain) throws IOException, ServletException
{
System.out.println("doFilter-Start.");
HttpServletRequest req = (HttpServletRequest) request;
//MutableHttpServletRequest mutableRequest = new
MutableHttpServletRequest(req);
X509Certificate[] certs = (X509Certificate[])
req.getAttribute("javax.servlet.request.X509Certificate");
System.out.println("doFilter-SSL_CLIENT_S_DN="+certs[0].getSubjectX500Principal().getName());
I would highly recommend some null-checking in here /just in case/ but
this is basically what you (Robert) are looking for.
System.out.println("doFilter-SSL_CERTIFICATES_FOUND="+Integer.toString(certs.length));
//mutableRequest.putHeader("SSL_CLIENT_S_DN",
certs[0].getSubjectX500Principal().getName());
//mutableRequest.putHeader("SSL_CERTIFICATES_FOUND",
Integer.toString(certs.length));
//chain.doFilter(mutableRequest, response);
System.out.println("doFilter-Done.");
}
@Override public void init(FilterConfig filterConfig) throws
ServletException
{
}
}
-chris
On Mon, Jul 17, 2023 at 10:38 AM Robert Egan
wrote:
I would like to write a filter that accesses a client certificate attached
to the servlet request without using a proxy server. And after three weeks
of searching, I'm beginning to feel like it is not possible. Because every
article I've found assumes the request was forwarded from a proxy server.
So my questions are: Is it even possible? If it is, can someone point me in
the right direction? Also, if it is possible, but strongly discouraged for
security reasons, let me know that as well. I am not adverse to using a
proxy server, especially if it is considered a "best practice".
Thanks in advance
Robert Egan
--
*VSolvit LLC*, *CMMI (Level 3), ISO 9001, ISO 2-1, ISO 27001*
*1305 Executive Blvd. Ste. 160 | Chesapeake | VA | 23320*
*(617) 455-1425*
www.vsolvit.com
*VSolvit (We*Solve*it) *is an award winning technology services company
that specializes in the areas of Geographic Information Systems and IT
application development / database integration.
*Cyber-security ~ Cloud Computing ~ GIS ~ Business Intelligence ~ Data
Warehousing.*
*CONFIDENTIALITY NOTICE:* This communication, including attachments, is for
the exclusive use of addressee and may contain proprietary, confidential or
privileged information. If you are not the intended recipient, any use,
copying, disclosure, dissemination or distribution is strictly prohibited.
If you are not the intended recipient, please notify the sender immediately
by return email and delete this communication and destroy all copies.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
