> add the certificate back in to its stack
Sure. It's not clear to me how to do this: what is CXF looking for, and will it
do the right thing even though the transport is not TLS? It seems to go to
AbstractHttpDestination needs cipher-suites (which wouldn't be known to the
CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
private static void propogateSecureSession(HttpServletRequest request,
Message message) {
final String cipherSuite =
(String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
if (cipherSuite != null) {
final java.security.cert.Certificate[] certs =
(java.security.cert.Certificate[])
request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
message.put(TLSSessionInfo.class,
new TLSSessionInfo(cipherSuite,
null,
certs));
}
}
Nimish
On 11/3/19, 6:45 PM, "Jason Pyeron" <[email protected]> wrote:
Write a filter for your application server to add the certificate back in
to its stack. By doing that the default get client certificate Servlet features
can be used.
> -----Original Message-----
> From: Nimish Telang [mailto:[email protected]]
> Sent: Sunday, November 3, 2019 6:03 PM
> To: [email protected]
> Subject: Support for X-Forwarded-Client-Certificate
>
> Hi,
>
> I’m trying to run a CXF service behind an NGINX-ingress http proxy that
has
> to terminate mutual TLS. I’d like to have the client certificate
forwarded to
> the CXF server, since it’s needed to verify SAML and XML signature trust
> (they just include the RSA public key).
>
> Is this natively supported in CXF, and if not, how should I make CXF
aware of
> the forwarded client certificate even though the CXF server is not
listing on
> TLS and is not terminating TLS?
>
> Nimish
