BTW, what does request.isSecure() return in your scenario? For the server side to include the SSL level details in the servlet request object and attributes, you would need to have your server configured to actually include those details in the raw connection.
Eg: https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/config/etc/jetty-ssl.xml#L65-L76 <!-- =========================================================== --> <!-- Create a TLS specific HttpConfiguration based on the --> <!-- common HttpConfiguration defined in jetty.xml --> <!-- Add a SecureRequestCustomizer to extract certificate and --> <!-- session information --> <!-- =========================================================== --> <New id="sslHttpConfig" class="org.eclipse.jetty.server.HttpConfiguration"> <Arg><Ref refid="httpConfig"/></Arg> <Call name="*addCustomizer*"> <Arg><New class="*org.eclipse.jetty.server.SecureRequestCustomizer* "/></Arg> </Call> </New> This adds a critical "org.eclipse.jetty.server.SecureRequestCustomizer" to the HttpConfiguration that the jetty-https.xml uses to establish its Connector. Eg: https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/config/etc/jetty-https.xml#L23 <Configure id="sslConnector" class="org.eclipse.jetty.server.ServerConnector"> <!-- (snip) -- > <Call name="addConnectionFactory"> <Arg> <New class="org.eclipse.jetty.server.HttpConnectionFactory"> <Arg name="config"><Ref refid="*sslHttpConfig*" /></Arg> </New> </Arg> </Call> </Configure> Without this SecureRequestCustomizer, the details from the SSL level will never be placed into the Request object, and your servlet will not know that the request credentials. For the complete list of what it does, just check the source. https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java -- Joakim Erdfelt <[email protected]> webtide.com <http://www.webtide.com/> - intalio.com/jetty Expert advice, services and support from from the Jetty & CometD experts eclipse.org/jetty - cometd.org On Mon, Jan 5, 2015 at 11:56 AM, Wenlong Dong <[email protected]> wrote: > BTW, what is the best way to retrieve the client-cert from the server-side > please? I did the following. Is it the best way? > protected void doGet(HttpServletRequest request, HttpServletResponse > response) throws ServletException, IOException { > X509Certificate[] certs = > (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate"); > Somehow request.getAuthType() returns null. Is it because authType is only > set at HTTP layer but not TLS layer? Thanks! > > On Mon, Jan 5, 2015 at 12:11 AM, Wenlong Dong <[email protected]> wrote: > >> Christoph, thanks a lot for the quick reply! After enabling SSL >> debugging, I figured it out today. I also needed to call >> setTrustStorePath/setTrustStorePassword. Now it works fine. >> >> On Mon, Jan 5, 2015 at 12:01 AM, Christoph Läubrich < >> [email protected]> wrote: >> >>> Can you show the whole stack trace? I suspect that your server does not >>> trust the client cert. In that case the SSL connection fails. So you need >>> to export the public certificate from your clients key store, import it in >>> a (server) truststore and pass this to the context factory as a trust store. >>> _______________________________________________ >>> jetty-users mailing list >>> [email protected] >>> To change your delivery options, retrieve your password, or unsubscribe >>> from this list, visit >>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>> >> >> > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
