Re: Support for X-Forwarded-Client-Certificate
This works, but feels a tad dirty. I ended up modifying
https://github.com/cloudfoundry/java-buildpack-client-certificate-mapper/blob/master/src/main/java/org/cloudfoundry/router/ClientCertificateMapper.java
and having to insert a new SamlAssertionValidator that is aware of the certs.
Thanks!
Nimish
On 11/4/19, 4:57 AM, "Jason Pyeron" wrote:
Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION
> -Original Message-
> From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> Sent: Sunday, November 3, 2019 7:08 PM
> To: users@cxf.apache.org
> Subject: Re: Support for X-Forwarded-Client-Certificate
>
> > add the certificate back in to its stack
>
> Sure. It's not clear to me how to do this: what is CXF looking for, and
will it do
> the right thing even though the transport is not TLS? It seems to go to
> AbstractHttpDestination needs cipher-suites (which wouldn't be known to
> the CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
>
> private static void propogateSecureSession(HttpServletRequest request,
> Message message) {
> final String cipherSuite =
> (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
> if (cipherSuite != null) {
> final java.security.cert.Certificate[] certs =
> (java.security.cert.Certificate[])
> request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
> message.put(TLSSessionInfo.class,
> new TLSSessionInfo(cipherSuite,
>null,
>certs));
> }
> }
>
> Nimish
>
>
> On 11/3/19, 6:45 PM, "Jason Pyeron" wrote:
>
> Write a filter for your application server to add the certificate
back in to its
> stack. By doing that the default get client certificate Servlet features
can be
> used.
>
> > -Original Message-
> > From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> > Sent: Sunday, November 3, 2019 6:03 PM
> > To: users@cxf.apache.org
> > Subject: Support for X-Forwarded-Client-Certificate
> >
> > Hi,
> >
> > I’m trying to run a CXF service behind an NGINX-ingress http proxy
that
> has
> > to terminate mutual TLS. I’d like to have the client certificate
forwarded
> to
> > the CXF server, since it’s needed to verify SAML and XML signature
trust
> > (they just include the RSA public key).
> >
> > Is this natively supported in CXF, and if not, how should I make
CXF aware
> of
> > the forwarded client certificate even though the CXF server is not
listing
> on
> > TLS and is not terminating TLS?
> >
> > Nimish
>
>
>
RE: Support for X-Forwarded-Client-Certificate
Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION
> -Original Message-
> From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> Sent: Sunday, November 3, 2019 7:08 PM
> To: users@cxf.apache.org
> Subject: Re: Support for X-Forwarded-Client-Certificate
>
> > add the certificate back in to its stack
>
> Sure. It's not clear to me how to do this: what is CXF looking for, and will
> it do
> the right thing even though the transport is not TLS? It seems to go to
> AbstractHttpDestination needs cipher-suites (which wouldn't be known to
> the CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
>
> private static void propogateSecureSession(HttpServletRequest request,
> Message message) {
> final String cipherSuite =
> (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
> if (cipherSuite != null) {
> final java.security.cert.Certificate[] certs =
> (java.security.cert.Certificate[])
> request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
> message.put(TLSSessionInfo.class,
> new TLSSessionInfo(cipherSuite,
>null,
>certs));
> }
> }
>
> Nimish
>
>
> On 11/3/19, 6:45 PM, "Jason Pyeron" wrote:
>
> Write a filter for your application server to add the certificate back in
> to its
> stack. By doing that the default get client certificate Servlet features can
> be
> used.
>
> > -Original Message-
> > From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> > Sent: Sunday, November 3, 2019 6:03 PM
> > To: users@cxf.apache.org
> > Subject: Support for X-Forwarded-Client-Certificate
> >
> > Hi,
> >
> > I’m trying to run a CXF service behind an NGINX-ingress http proxy that
> has
> > to terminate mutual TLS. I’d like to have the client certificate
> forwarded
> to
> > the CXF server, since it’s needed to verify SAML and XML signature trust
> > (they just include the RSA public key).
> >
> > Is this natively supported in CXF, and if not, how should I make CXF
> aware
> of
> > the forwarded client certificate even though the CXF server is not
> listing
> on
> > TLS and is not terminating TLS?
> >
> > Nimish
>
>
>
Re: Support for X-Forwarded-Client-Certificate
> add the certificate back in to its stack
Sure. It's not clear to me how to do this: what is CXF looking for, and will it
do the right thing even though the transport is not TLS? It seems to go to
AbstractHttpDestination needs cipher-suites (which wouldn't be known to the
CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
private static void propogateSecureSession(HttpServletRequest request,
Message message) {
final String cipherSuite =
(String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
if (cipherSuite != null) {
final java.security.cert.Certificate[] certs =
(java.security.cert.Certificate[])
request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
message.put(TLSSessionInfo.class,
new TLSSessionInfo(cipherSuite,
null,
certs));
}
}
Nimish
On 11/3/19, 6:45 PM, "Jason Pyeron" wrote:
Write a filter for your application server to add the certificate back in
to its stack. By doing that the default get client certificate Servlet features
can be used.
> -Original Message-
> From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> Sent: Sunday, November 3, 2019 6:03 PM
> To: users@cxf.apache.org
> Subject: Support for X-Forwarded-Client-Certificate
>
> Hi,
>
> I’m trying to run a CXF service behind an NGINX-ingress http proxy that
has
> to terminate mutual TLS. I’d like to have the client certificate
forwarded to
> the CXF server, since it’s needed to verify SAML and XML signature trust
> (they just include the RSA public key).
>
> Is this natively supported in CXF, and if not, how should I make CXF
aware of
> the forwarded client certificate even though the CXF server is not
listing on
> TLS and is not terminating TLS?
>
> Nimish
RE: Support for X-Forwarded-Client-Certificate
Write a filter for your application server to add the certificate back in to its stack. By doing that the default get client certificate Servlet features can be used. > -Original Message- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 6:03 PM > To: users@cxf.apache.org > Subject: Support for X-Forwarded-Client-Certificate > > Hi, > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that has > to terminate mutual TLS. I’d like to have the client certificate forwarded to > the CXF server, since it’s needed to verify SAML and XML signature trust > (they just include the RSA public key). > > Is this natively supported in CXF, and if not, how should I make CXF aware of > the forwarded client certificate even though the CXF server is not listing on > TLS and is not terminating TLS? > > Nimish
