*Thanks André. I will sure give it a try and update you. * *Meanwhile, my team seems to tilted toward a servlet filter or jersey hook to get this working at application layer.* *We got a public key inside of mobile app and corresponding private key on server side and we would be signing the response message.* *Plus we already have logic to rotate that PKI key pair.*
*-thanks* On 9 December 2016 at 03:26, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 02.12.2016 13:27, Bipin Jethwani wrote: > >> We use Spring security and want to use Two Way SSL for a few Jersey based >> REST APIs exposed for mobile devices. SSL is offloaded at load-balancer or >> apache level. >> >> Can we still get access to client certificate at web app level? >> >> On second thought we can live without having access to client cert but can >> we have load-balancer or apache configured to request for client cert only >> for a specific urls? >> > > On second thought, and after checking the Apache httpd configuration > directives, you may want to look at this : > http://httpd.apache.org/docs/2.4/mod/mod_ssl.html#sslverifyclient > > It seems that, contrary to most SSL-oriented directives, this one /can/ be > used at the "directory" level (which means also in a <Location> section). > > So you could specify it only for some URLs, at the Apache httpd front-end > level. > > > Is there a standard for this? >> >> -Bipin >> >> > Hi. > > If indeed "SSL is offloaded at load-balancer or apache level", isn't this > more a question for the respective user's list of these products, rather > than for the Tomcat user's list ? > > If you do need some SSL information at the Tomcat back-end level, and if > between your Apache httpd front-end, and the Tomcat back-ends, the > proxy/balancer module which you are using is mod_jk, then you will find > most pertinent information about passing SSL data from the front-end to the > back-end Tomcat (even if you "terminate" the SSL at the httpd level), here : > http://tomcat.apache.org/connectors-doc/reference/apache.html > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >