> add the certificate back in to its stack Sure. It's not clear to me how to do this: what is CXF looking for, and will it do the right thing even though the transport is not TLS? It seems to go to AbstractHttpDestination needs cipher-suites (which wouldn't be known to the CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
private static void propogateSecureSession(HttpServletRequest request, Message message) { final String cipherSuite = (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE); if (cipherSuite != null) { final java.security.cert.Certificate[] certs = (java.security.cert.Certificate[]) request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE); message.put(TLSSessionInfo.class, new TLSSessionInfo(cipherSuite, null, certs)); } } Nimish On 11/3/19, 6:45 PM, "Jason Pyeron" <jpye...@pdinc.us> wrote: Write a filter for your application server to add the certificate back in to its stack. By doing that the default get client certificate Servlet features can be used. > -----Original Message----- > From: Nimish Telang [mailto:nim...@telang.net.INVALID] > Sent: Sunday, November 3, 2019 6:03 PM > To: users@cxf.apache.org > Subject: Support for X-Forwarded-Client-Certificate > > Hi, > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that has > to terminate mutual TLS. I’d like to have the client certificate forwarded to > the CXF server, since it’s needed to verify SAML and XML signature trust > (they just include the RSA public key). > > Is this natively supported in CXF, and if not, how should I make CXF aware of > the forwarded client certificate even though the CXF server is not listing on > TLS and is not terminating TLS? > > Nimish