Package com.authlete.jaxrs

Class HeaderClientCertificateExtractor

  • All Implemented Interfaces:
    ClientCertificateExtractor
    Direct Known Subclasses:
    HeaderClientCertificateClientCertExtractor, HeaderClientCertificateXSslExtractor
    public abstract class HeaderClientCertificateExtractor
extends Object
implements ClientCertificateExtractor
    Extracts the client certificate from headers defined by the clientCertificateChainHeaders member list. The first element in the list is header for the client's own certificate. Each additional header in the list will be checked and added to the resulting output.

    Headers that are missing, empty, or contain only the string "(null)" are not returned in the list.

    Different proxy servers use different configuration methods. For the Apache server, one possible method using the default headers for this class is below: 

       SSLEngine on
   SSLCertificateFile /etc/certs/tls.crt
   SSLCertificateKeyFile /etc/certs/tls.key
   SSLVerifyClient optional_no_ca
   SSLOptions +StdEnvVars +ExportCertData
   RequestHeader set X-Ssl-Cipher "%{SSL_CIPHER}e" env=SSL_CIPHER
   RequestHeader set X-Ssl-Cert "%{SSL_CLIENT_CERT}e" env=SSL_CLIENT_CERT
   RequestHeader set X-Ssl-Protocol "%{SSL_PROTOCOL}e" env=SSL_PROTOCOL
   RequestHeader set X-Ssl-Verify "%{SSL_CLIENT_VERIFY}e" env=SSL_CLIENT_VERIFY
   RequestHeader set X-Ssl-Cert-Chain-0 "%{SSL_CLIENT_CERT_CHAIN_0}e" env=SSL_CLIENT_CERT_CHAIN_0
   RequestHeader set X-Ssl-Cert-Chain-1 "%{SSL_CLIENT_CERT_CHAIN_1}e" env=SSL_CLIENT_CERT_CHAIN_1
   RequestHeader set X-Ssl-Cert-Chain-2 "%{SSL_CLIENT_CERT_CHAIN_2}e" env=SSL_CLIENT_CERT_CHAIN_2
   RequestHeader set X-Ssl-Cert-Chain-3 "%{SSL_CLIENT_CERT_CHAIN_3}e" env=SSL_CLIENT_CERT_CHAIN_3
   RequestHeader set X-Ssl-Cert-Chain-4 "%{SSL_CLIENT_CERT_CHAIN_4}e" env=SSL_CLIENT_CERT_CHAIN_4
   ProxyPreserveHost on
   ProxyPass "/" "http://localhost:8081/"
   ProxyPassReverse "/" "http://localhost:8081/"

    On the other hand, Nginx's configuration file may have the following line. 

       proxy_set_header X-Ssl-Cert $ssl_client_escaped_cert;

    Note that $ssl_client_cert is deprecated and it will cause an error when the value is sent to an upstream server which strictly conforms to the requirement described in "Section 3.2.4. Field Parsing" in RFC 7230. The RFC deprecates "line folding" which enables HTTP header values to span multiple lines by preceding each extra line with at least one space or horizontal tab. For example, Jetty reports "Bad Message 400 / reason: Header Folding" when it encounters line folding.

    Since:
    2.8
    Author:
    jricher
    See Also:
    Apache Module mod_ssl

    • Constructor Detail

      • HeaderClientCertificateExtractor

        public HeaderClientCertificateExtractor()

    • Method Detail

      • extractClientCertificateChain

        public String[] extractClientCertificateChain​(javax.servlet.http.HttpServletRequest request)
        Description copied from interface: ClientCertificateExtractor
        Search the given request for a client's certificate and return it as a string of certificates in PEM format.
        Specified by:
        extractClientCertificateChain in interface ClientCertificateExtractor
        Parameters:
        request - The incoming HTTP request to search.
        Returns:
        The client's MTLS certificate chain. All certificates are in PEM format, the first certificate is the client's own certificate.

      • getClientCertificateChainHeaders

        public List<String> getClientCertificateChainHeaders()
        Get the headers that will be checked for the client certificate chain. The first element in the list is header for the client's own certificate. Each additional header in the list will be checked and added to the resulting output.

      • setClientCertificateChainHeaders

        public HeaderClientCertificateExtractor setClientCertificateChainHeaders​(List<String> clientCertificateChainHeaders)
        Set the headers that will be checked for the client certificate chain. The first element in the list is header for the client's own certificate. Each additional header in the list will be checked and added to the resulting output.