RE: Support for X-Forwarded-Client-Certificate

Mon, 04 Nov 2019 01:57:47 -0800 

Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION

> -----Original Message-----
> From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> Sent: Sunday, November 3, 2019 7:08 PM
> To: users@cxf.apache.org
> Subject: Re: Support for X-Forwarded-Client-Certificate
> 
> > add the certificate back in to its stack
> 
> Sure. It's not clear to me how to do this: what is CXF looking for, and will 
> it do
> the right thing even though the transport is not TLS? It seems to go to
> AbstractHttpDestination needs cipher-suites (which wouldn't be known to
> the CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
> 
>     private static void propogateSecureSession(HttpServletRequest request,
>                                               Message message) {
>         final String cipherSuite =
>             (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
>         if (cipherSuite != null) {
>             final java.security.cert.Certificate[] certs =
>                 (java.security.cert.Certificate[])
> request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
>             message.put(TLSSessionInfo.class,
>                         new TLSSessionInfo(cipherSuite,
>                                            null,
>                                            certs));
>         }
>     }
> 
> Nimish
> 
> 
> On 11/3/19, 6:45 PM, "Jason Pyeron" <jpye...@pdinc.us> wrote:
> 
>     Write a filter for your application server to add the certificate back in 
> to its
> stack. By doing that the default get client certificate Servlet features can 
> be
> used.
> 
>     > -----Original Message-----
>     > From: Nimish Telang [mailto:nim...@telang.net.INVALID]
>     > Sent: Sunday, November 3, 2019 6:03 PM
>     > To: users@cxf.apache.org
>     > Subject: Support for X-Forwarded-Client-Certificate
>     >
>     > Hi,
>     >
>     > I’m trying to run a CXF service behind an NGINX-ingress http proxy that
> has
>     > to terminate mutual TLS. I’d like to have the client certificate 
> forwarded
> to
>     > the CXF server, since it’s needed to verify SAML and XML signature trust
>     > (they just include the RSA public key).
>     >
>     > Is this natively supported in CXF, and if not, how should I make CXF 
> aware
> of
>     > the forwarded client certificate even though the CXF server is not 
> listing
> on
>     > TLS and is not terminating TLS?
>     >
>     > Nimish
> 
> 
>

Reply via email to