This works, but feels a tad dirty. I ended up modifying https://github.com/cloudfoundry/java-buildpack-client-certificate-mapper/blob/master/src/main/java/org/cloudfoundry/router/ClientCertificateMapper.java and having to insert a new SamlAssertionValidator that is aware of the certs.
Thanks! Nimish On 11/4/19, 4:57 AM, "Jason Pyeron" <[email protected]> wrote: Use a mock cipher suite name, e.g. LAYER_7_WAF_INJECTION > -----Original Message----- > From: Nimish Telang [mailto:[email protected]] > Sent: Sunday, November 3, 2019 7:08 PM > To: [email protected] > Subject: Re: Support for X-Forwarded-Client-Certificate > > > add the certificate back in to its stack > > Sure. It's not clear to me how to do this: what is CXF looking for, and will it do > the right thing even though the transport is not TLS? It seems to go to > AbstractHttpDestination needs cipher-suites (which wouldn't be known to > the CXF servlet) to actually "propogate" [sic] TlsSessionInfo: > > private static void propogateSecureSession(HttpServletRequest request, > Message message) { > final String cipherSuite = > (String) request.getAttribute(SSL_CIPHER_SUITE_ATTRIBUTE); > if (cipherSuite != null) { > final java.security.cert.Certificate[] certs = > (java.security.cert.Certificate[]) > request.getAttribute(SSL_PEER_CERT_CHAIN_ATTRIBUTE); > message.put(TLSSessionInfo.class, > new TLSSessionInfo(cipherSuite, > null, > certs)); > } > } > > Nimish > > > On 11/3/19, 6:45 PM, "Jason Pyeron" <[email protected]> wrote: > > Write a filter for your application server to add the certificate back in to its > stack. By doing that the default get client certificate Servlet features can be > used. > > > -----Original Message----- > > From: Nimish Telang [mailto:[email protected]] > > Sent: Sunday, November 3, 2019 6:03 PM > > To: [email protected] > > Subject: Support for X-Forwarded-Client-Certificate > > > > Hi, > > > > I’m trying to run a CXF service behind an NGINX-ingress http proxy that > has > > to terminate mutual TLS. I’d like to have the client certificate forwarded > to > > the CXF server, since it’s needed to verify SAML and XML signature trust > > (they just include the RSA public key). > > > > Is this natively supported in CXF, and if not, how should I make CXF aware > of > > the forwarded client certificate even though the CXF server is not listing > on > > TLS and is not terminating TLS? > > > > Nimish > > >
