Joakim, thanks! The request.isSecure() call always returns true as long as I use SSL, no matter whether the client cert is passed or not. I will try to add a customizer to examine the client-cert. I had hoped to do so from some SecurityHandler or LoginService but not sure how that fits.
On Tue, Jan 6, 2015 at 5:25 AM, Joakim Erdfelt <[email protected]> wrote: > BTW, what does request.isSecure() return in your scenario? > > For the server side to include the SSL level details in the servlet > request object and attributes, you would need to have your server > configured to actually include those details in the raw connection. > > Eg: > > > https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/config/etc/jetty-ssl.xml#L65-L76 > > <!-- =========================================================== --> > <!-- Create a TLS specific HttpConfiguration based on the --> > <!-- common HttpConfiguration defined in jetty.xml --> > <!-- Add a SecureRequestCustomizer to extract certificate and --> > <!-- session information --> > <!-- =========================================================== --> > <New id="sslHttpConfig" > class="org.eclipse.jetty.server.HttpConfiguration"> > <Arg><Ref refid="httpConfig"/></Arg> > <Call name="*addCustomizer*"> > <Arg><New class="*org.eclipse.jetty.server.SecureRequestCustomizer* > "/></Arg> > </Call> > </New> > > This adds a critical "org.eclipse.jetty.server.SecureRequestCustomizer" to > the HttpConfiguration that the jetty-https.xml uses to establish its > Connector. > > Eg: > > > https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/config/etc/jetty-https.xml#L23 > > <Configure id="sslConnector" > class="org.eclipse.jetty.server.ServerConnector"> > > <!-- (snip) -- > > > <Call name="addConnectionFactory"> > <Arg> > <New class="org.eclipse.jetty.server.HttpConnectionFactory"> > <Arg name="config"><Ref refid="*sslHttpConfig*" /></Arg> > </New> > </Arg> > </Call> > > </Configure> > > Without this SecureRequestCustomizer, the details from the SSL level will > never be placed into the Request object, and your servlet will not know > that the request credentials. > > For the complete list of what it does, just check the source. > > https://github.com/eclipse/jetty.project/blob/master/jetty-server/src/main/java/org/eclipse/jetty/server/SecureRequestCustomizer.java > > > -- > Joakim Erdfelt <[email protected]> > webtide.com <http://www.webtide.com/> - intalio.com/jetty > Expert advice, services and support from from the Jetty & CometD experts > eclipse.org/jetty - cometd.org > > On Mon, Jan 5, 2015 at 11:56 AM, Wenlong Dong <[email protected]> wrote: > >> BTW, what is the best way to retrieve the client-cert from the >> server-side please? I did the following. Is it the best way? >> protected void doGet(HttpServletRequest request, HttpServletResponse >> response) throws ServletException, IOException { >> X509Certificate[] certs = >> (X509Certificate[])request.getAttribute("javax.servlet.request.X509Certificate"); >> Somehow request.getAuthType() returns null. Is it because authType is >> only set at HTTP layer but not TLS layer? Thanks! >> >> On Mon, Jan 5, 2015 at 12:11 AM, Wenlong Dong <[email protected]> wrote: >> >>> Christoph, thanks a lot for the quick reply! After enabling SSL >>> debugging, I figured it out today. I also needed to call >>> setTrustStorePath/setTrustStorePassword. Now it works fine. >>> >>> On Mon, Jan 5, 2015 at 12:01 AM, Christoph Läubrich < >>> [email protected]> wrote: >>> >>>> Can you show the whole stack trace? I suspect that your server does not >>>> trust the client cert. In that case the SSL connection fails. So you need >>>> to export the public certificate from your clients key store, import it in >>>> a (server) truststore and pass this to the context factory as a trust >>>> store. >>>> _______________________________________________ >>>> jetty-users mailing list >>>> [email protected] >>>> To change your delivery options, retrieve your password, or unsubscribe >>>> from this list, visit >>>> https://dev.eclipse.org/mailman/listinfo/jetty-users >>>> >>> >>> >> >> _______________________________________________ >> jetty-users mailing list >> [email protected] >> To change your delivery options, retrieve your password, or unsubscribe >> from this list, visit >> https://dev.eclipse.org/mailman/listinfo/jetty-users >> > > > _______________________________________________ > jetty-users mailing list > [email protected] > To change your delivery options, retrieve your password, or unsubscribe > from this list, visit > https://dev.eclipse.org/mailman/listinfo/jetty-users >
_______________________________________________ jetty-users mailing list [email protected] To change your delivery options, retrieve your password, or unsubscribe from this list, visit https://dev.eclipse.org/mailman/listinfo/jetty-users
