Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION
> -----Original Message-----
> From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> Sent: Sunday, November 3, 2019 7:08 PM
> To: users@cxf.apache.org
> Subject: Re: Support for X-Forwarded-Client-Certificate
>
> > add the certificate back in to its stack
>
> Sure. It's not clear to me how to do this: what is CXF looking for, and will
> it do
> the right thing even though the transport is not TLS? It seems to go to
> AbstractHttpDestination needs cipher-suites (which wouldn't be known to
> the CXF servlet) to actually "propogate" [sic] TlsSessionInfo:
>
> private static void propogateSecureSession(HttpServletRequest request,
> Message message) {
> final String cipherSuite =
> (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE);
> if (cipherSuite != null) {
> final java.security.cert.Certificate[] certs =
> (java.security.cert.Certificate[])
> request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE);
> message.put(TLSSessionInfo.class,
> new TLSSessionInfo(cipherSuite,
> null,
> certs));
> }
> }
>
> Nimish
>
>
> On 11/3/19, 6:45 PM, "Jason Pyeron" <jpye...@pdinc.us> wrote:
>
> Write a filter for your application server to add the certificate back in
> to its
> stack. By doing that the default get client certificate Servlet features can
> be
> used.
>
> > -----Original Message-----
> > From: Nimish Telang [mailto:nim...@telang.net.INVALID]
> > Sent: Sunday, November 3, 2019 6:03 PM
> > To: users@cxf.apache.org
> > Subject: Support for X-Forwarded-Client-Certificate
> >
> > Hi,
> >
> > I’m trying to run a CXF service behind an NGINX-ingress http proxy that
> has
> > to terminate mutual TLS. I’d like to have the client certificate
> forwarded
> to
> > the CXF server, since it’s needed to verify SAML and XML signature trust
> > (they just include the RSA public key).
> >
> > Is this natively supported in CXF, and if not, how should I make CXF
> aware
> of
> > the forwarded client certificate even though the CXF server is not
> listing
> on
> > TLS and is not terminating TLS?
> >
> > Nimish
>
>
>