-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Bipin,
On 12/2/16 7:27 AM, Bipin Jethwani wrote: > We use Spring security and want to use Two Way SSL for a few Jersey > based REST APIs exposed for mobile devices. SSL is offloaded at > load-balancer or apache level. > > Can we still get access to client certificate at web app level? That depends. How are you connecting your load-balancer to Tomcat. Can you configure the load-balancer to forward the TLS details to Tomcat? With httpd, both mod_jk and mod_proxy_ajp can do it natively. Using mod_proxy_httpd, you just have to make sure that the certificates are forwarded as HTTP request headers, and you'll need to configure the RemoteIPValve to unpack that information and put it into the HttpServletRequest object in a place your application might expect it to be. > On second thought we can live without having access to client cert > but can we have load-balancer or apache configured to request for > client cert only for a specific urls? No. Only the component terminating TLS can request a certificate from the client. If there is a way for you to signal to the load-balancer that you want to request a certificate, then the load-balancer can request a TLS renegotiation and ask for a client certificate at that point. > Is there a standard for this? None that I know of. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJYQZySAAoJEBzwKT+lPKRYD3kP/00panFQA1oqLeU6NvAySvwc gHyxLLt4PKSRJrlrczk/ftw8czjepDQx3Z4Rk4bQ3x4EwFNcqv+DnvfBuRv0f3W8 15fzIQhRcULvkdhJ+AHWW73y3wsoRl0U1f6nAAma6nevZgbmXy3efUIWeIFZy7RY o8qLBfTy5krcPft9GMMEjGVtkWOB54NFoRe3Sp8iE1CR3jw8oGyzE2i3WdJKhsxE iFoJcnNJH65sBKwL2LtpahgaZ6YeRGa7SLcYgTkcldyfqEEd1zZYlBQTZFQh6Zy0 BEUTWz99r5klMaU0Zn7QiYfFrWkA0pF4agdFnsWElj2ZsJ2YAC+ckAsZ7Rj2oHwD s4ehb6zCGeTE/bToD4nlb1iizZuWTIlFCzhZ3d/iYNHVCnICOdt0IyPAV/cVl9iL r9htFbB6hzd05ALP5MfLzqluhP5sGhuKhBK5glda3prLP2L7b14IxbfuOGTYbgPV q7fTfLfim7veQYpZWoRIdUjqkQM9BN43AkX3HyGF15SirL9U0NEXQkiipHR0Fi3E FR3JmDcsphMV+bvHnzHeVbMEzNrai1GZhZ6Y+6IW2iRGwgWcfO4nCU10ZPGDh50H 2sW0R27nZviNHocLGgSJsmGFO98rrUHlHYXpPCn+NTFAF+zwE0S5d6qf5RFKtGWr 8xiy+1gtF7s/tSQhVlap =83a5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
