Hi,
I assume there are different parties involved, so if this question
should be raised on another mailing list, please can you point me to?
I am using Karaf + Pax Web + Jetty.
Currently I build a custom distribution that Pax Web configuration
(org.ops4j.pax.web.cfg) contains also this lines:
===
org.ops4j.pax.web.ssl.clientauthwanted = true
org.ops4j.pax.web.ssl.clientauthneeded = true
org.ops4j.pax.web.ssl.truststore=${karaf.etc}/truststore.jks
org.ops4j.pax.web.ssl.truststore.password=that-is-not-the-real-one
===
This distribution contains a bundle that registers a servlet "MyServlet".
Now, just FYI, I assume not all is relevant:
===
"MyServlet" extends the "WebSocketServlet"
(org.eclipse.jetty.websocket.servlet.WebSocketServlet).
Type hierarchy: MyServlet -> WebSocketServlet -> HttpServlet ->
GenericServlet [Servlet, ServletConfig, Serializable].
The WebSocketServlet requires the implementation of the abstract
method "public abstract void configure(WebSocketServletFactory
factory);"
In the "configure" implementation is set a "creator".
factory.setCreator(new MyCreator(...));
MyCreator implements the following method (required by the
WebSocketCreator interface):
public @Nullable Object createWebSocket(final ServletUpgradeRequest
req, final ServletUpgradeResponse resp);
In that method I do a simple certificate check.
I call "final X509Certificate[] certs = req.getCertificates();" and
use the returned chain for the check.
Now back to the relevant part.
===
The current implementation of the client certificate chain check
relies that Jetty already required the client authentication
(clientauthneeded) and that the certificate is already checked against
the configured truststore (that contains only a special CA).
As we could rely on a "valid" certifcate I just need to extract the
information I need from the client certifcate and "all is fine".
Now, I need to add another servlet to that custom distribution that
should work without a client certifcate.
I assume I will need to remove the truststore and clientauth settings
from the configuration (keep wanted and drop needed?) and check the
certifcate in the code for "MyServlet" itself.
I further assume it should work by a filter or in the servlet itself.
Are there better ways to handle two servlet
* Servlet1 needs client authentication
* Servlet2 do not use client authentication
How can I trigger the check of the client certificate correctly in the
servlet / filter to check against a specific truststore?
I am interested in your inputs.
Best regards,
Markus
