Re: Support for X-Forwarded-Client-Certificate
This works, but feels a tad dirty. I ended up modifying https://github.com/cloudfoundry/java-buildpack-client-certificate-mapper/blob/master/src/main/java/org/cloudfoundry/router/ClientCertificateMapper.java and having to insert a new SamlAssertionValidator that is aware of the certs. Thanks! Nimish On 11/4/19, 4:57 AM, "Jason Pyeron" wrote: Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION > -Original Message- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 7:08 PM > To: users@cxf.apache.org > Subject: Re: Support for X-Forwarded-Client-Certificate > > > add the certificate back in to its stack > > Sure. It's not clear to me how to do this: what is CXF looking for, and will it do > the right thing even though the transport is not TLS? It seems to go to > AbstractHttpDestination needs cipher-suites (which wouldn't be known to > the CXF servlet) to actually "propogate" [sic] TlsSessionInfo: > > private static void propogateSecureSession(HttpServletRequest request, > Message message) { > final String cipherSuite = > (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE); > if (cipherSuite != null) { > final java.security.cert.Certificate[] certs = > (java.security.cert.Certificate[]) > request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE); > message.put(TLSSessionInfo.class, > new TLSSessionInfo(cipherSuite, >null, >certs)); > } > } > > Nimish > > > On 11/3/19, 6:45 PM, "Jason Pyeron" wrote: > > Write a filter for your application server to add the certificate back in to its > stack. By doing that the default get client certificate Servlet features can be > used. > > > -Original Message- > > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > > Sent: Sunday, November 3, 2019 6:03 PM > > To: users@cxf.apache.org > > Subject: Support for X-Forwarded-Client-Certificate > > > > Hi, > > > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that > has > > to terminate mutual TLS. I’d like to have the client certificate forwarded > to > > the CXF server, since it’s needed to verify SAML and XML signature trust > > (they just include the RSA public key). > > > > Is this natively supported in CXF, and if not, how should I make CXF aware > of > > the forwarded client certificate even though the CXF server is not listing > on > > TLS and is not terminating TLS? > > > > Nimish > > >
RE: Support for X-Forwarded-Client-Certificate
Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION > -Original Message- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 7:08 PM > To: users@cxf.apache.org > Subject: Re: Support for X-Forwarded-Client-Certificate > > > add the certificate back in to its stack > > Sure. It's not clear to me how to do this: what is CXF looking for, and will > it do > the right thing even though the transport is not TLS? It seems to go to > AbstractHttpDestination needs cipher-suites (which wouldn't be known to > the CXF servlet) to actually "propogate" [sic] TlsSessionInfo: > > private static void propogateSecureSession(HttpServletRequest request, > Message message) { > final String cipherSuite = > (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE); > if (cipherSuite != null) { > final java.security.cert.Certificate[] certs = > (java.security.cert.Certificate[]) > request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE); > message.put(TLSSessionInfo.class, > new TLSSessionInfo(cipherSuite, >null, >certs)); > } > } > > Nimish > > > On 11/3/19, 6:45 PM, "Jason Pyeron" wrote: > > Write a filter for your application server to add the certificate back in > to its > stack. By doing that the default get client certificate Servlet features can > be > used. > > > -Original Message- > > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > > Sent: Sunday, November 3, 2019 6:03 PM > > To: users@cxf.apache.org > > Subject: Support for X-Forwarded-Client-Certificate > > > > Hi, > > > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that > has > > to terminate mutual TLS. I’d like to have the client certificate > forwarded > to > > the CXF server, since it’s needed to verify SAML and XML signature trust > > (they just include the RSA public key). > > > > Is this natively supported in CXF, and if not, how should I make CXF > aware > of > > the forwarded client certificate even though the CXF server is not > listing > on > > TLS and is not terminating TLS? > > > > Nimish > > >
Re: Support for X-Forwarded-Client-Certificate
> add the certificate back in to its stack Sure. It's not clear to me how to do this: what is CXF looking for, and will it do the right thing even though the transport is not TLS? It seems to go to AbstractHttpDestination needs cipher-suites (which wouldn't be known to the CXF servlet) to actually "propogate" [sic] TlsSessionInfo: private static void propogateSecureSession(HttpServletRequest request, Message message) { final String cipherSuite = (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE); if (cipherSuite != null) { final java.security.cert.Certificate[] certs = (java.security.cert.Certificate[]) request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE); message.put(TLSSessionInfo.class, new TLSSessionInfo(cipherSuite, null, certs)); } } Nimish On 11/3/19, 6:45 PM, "Jason Pyeron" wrote: Write a filter for your application server to add the certificate back in to its stack. By doing that the default get client certificate Servlet features can be used. > -Original Message- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 6:03 PM > To: users@cxf.apache.org > Subject: Support for X-Forwarded-Client-Certificate > > Hi, > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that has > to terminate mutual TLS. I’d like to have the client certificate forwarded to > the CXF server, since it’s needed to verify SAML and XML signature trust > (they just include the RSA public key). > > Is this natively supported in CXF, and if not, how should I make CXF aware of > the forwarded client certificate even though the CXF server is not listing on > TLS and is not terminating TLS? > > Nimish
RE: Support for X-Forwarded-Client-Certificate
Write a filter for your application server to add the certificate back in to its stack. By doing that the default get client certificate Servlet features can be used. > -Original Message- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 6:03 PM > To: users@cxf.apache.org > Subject: Support for X-Forwarded-Client-Certificate > > Hi, > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that has > to terminate mutual TLS. I’d like to have the client certificate forwarded to > the CXF server, since it’s needed to verify SAML and XML signature trust > (they just include the RSA public key). > > Is this natively supported in CXF, and if not, how should I make CXF aware of > the forwarded client certificate even though the CXF server is not listing on > TLS and is not terminating TLS? > > Nimish