Hi all
I Have an Apache Web Server v2.2.14 which is used as a front-end for a
Tomcat Server v5.5. The connector between servers is mod_jk v1.2.28.
So the Tomcat Server is behind the Apache Server, itself behind an IPS
(Intrusion Prevention System). The IPS is in a DMZ, and HTTPS/SSL is enabled
only in this area. So there is NO HTTPS/SSL nor on Apache or on Tomcat.
The users of my application authenticate with an x509 certificate contained
in a USB device. The SSL mutual authentication is done by the IPS. After
that, all is in HTTP.
What I want is to get the client's certificate on Tomcat, to perform further
business check in my application.
The only thing that I know is that, after mutual SSL authentication, the IPS
put the client certificate in the HTTP header with the value
"X-SSL_CLIENT_CERT".
My questions are :
1/ is Apache able to forward the client's certificate to Tomcat, even there
is no HTTPS on Apache and Tomcat ? (maybe using JkEnvVar ?)
2/ the value "X-SSL_CLIENT_CERT" to store the cert in http header : is it
standard ? is there a difference with "SSL_CLIENT_CERT" ? If not standard,
this could be modified.
3/ Ideally, is there a way with Apache to put the client's certificate as a
request attribute "javax.servlet.request.X509Certificate" ? (because I use
Spring Security in my app, and X509 authentication with Spring Security uses
request.getAttribute("javax.servlet.request.X509Certificate") to get the
cert and authenticate)
PS1 : I would have run some tests myself, but I have to write quickly a
specification without having all I need to test if what I write is good :(
PS2 : Sorry if my english is bad because I'm french...
Thanx in advance
Stieuma
