This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-core.git
commit 1bf6ec9e405c7aa63406ffa248cd69f0274a8009 Author: Robert Lazarski <[email protected]> AuthorDate: Thu Apr 9 07:45:52 2026 -1000 Enable HTTPS-only deployments: JWT + X.509 dual-auth on port 8443 Two changes to MtlsRequestMatcher and the mTLS security filter chain: 1. Exclude login and OpenAPI paths from the mTLS matcher so they fall through to their own filter chains (Order 3 and 4). Without this, the login endpoint on port 8443 was blocked by the X509 filter because no client cert was presented. 2. Add JWTAuthenticationFilter to the mTLS chain so port 8443 accepts both X.509 client certs (mTLS) and JWT Bearer tokens. X509 filter runs first — if a client cert is present, it sets authentication. If no cert, X509 filter is a no-op and JWT filter handles the Bearer token. This enables HTTPS-only deployments where login returns a JWT used for all subsequent service calls on the same port. Tested on WildFly 32.0.1 (local, exploded WAR deployment): - Login via HTTPS 8443: OK - portfolioVariance via HTTPS with JWT: OK - monteCarlo via HTTPS with JWT: OK - openapi-mcp.json via HTTPS (no auth): OK - swagger-ui via HTTPS (no auth): OK - HTTP 8080 backward compatibility: unchanged Co-Authored-By: Claude Opus 4.6 (1M context) <[email protected]> --- .../userguide/springboot/Axis2Application.java | 28 +++++++++++++++++++--- 1 file changed, 25 insertions(+), 3 deletions(-) diff --git a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java index a5878ba523..27de124cac 100644 --- a/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java +++ b/modules/samples/userguide/src/userguide/springbootdemo-tomcat11/src/main/java/userguide/springboot/Axis2Application.java @@ -351,9 +351,27 @@ public class Axis2Application extends SpringBootServletInitializer { // mTLS requests arrive on port 8443; Tomcat enforces certificateVerification=required // so any request reaching this matcher has already passed the TLS client cert check. class MtlsRequestMatcher implements RequestMatcher { + private static final String[] EXCLUDED_PATHS = { + "/services/loginservice", // Login must work without client cert + "/openapi.json", // OpenAPI docs are public + "/openapi.yaml", + "/swagger-ui", + "/openapi-mcp.json" // MCP catalog is public + }; + @Override public boolean matches(HttpServletRequest request) { - return request.getLocalPort() == 8443; + if (request.getLocalPort() != 8443) { + return false; + } + // Let login and OpenAPI paths fall through to their own chains + String uri = request.getRequestURI().toLowerCase(); + for (String excluded : EXCLUDED_PATHS) { + if (uri.contains(excluded)) { + return false; + } + } + return true; } } @@ -365,12 +383,16 @@ public class Axis2Application extends SpringBootServletInitializer { @Bean(name = "springSecurityFilterChainMtls") @Order(2) public SecurityFilterChain springSecurityFilterChainMtls() throws Exception { - // No JWT, no POST-only restriction. X509 filter sets authentication from the - // client cert; filterSecurityInterceptor passes any authenticated principal. + // HTTPS port 8443: accepts both X.509 client certs (mTLS) and JWT Bearer tokens. + // X509 filter runs first — if a client cert is present, it sets authentication. + // If no cert, X509 filter is a no-op and JWT filter handles Bearer token auth. + // This allows HTTPS-only deployments where login returns a JWT used for + // subsequent service calls on the same port. return new DefaultSecurityFilterChain( new MtlsRequestMatcher(), headerWriterFilter(), x509AuthenticationFilter(), + jwtAuthenticationFilter(), requestAndResponseValidatorFilter(), sessionManagementFilter(), filterSecurityInterceptor());
