Can you use two sockets/connectors? Jetty stuff is configured at connector level, before even servlet is reached. I know its not a perfect solution, rather a workaround..
Best regards, Łukasz -- Code-House http://code-house.org On 16.05.2019 08:12, Markus Rathgeb wrote: > Hi, > > I assume there are different parties involved, so if this question > should be raised on another mailing list, please can you point me to? > > I am using Karaf + Pax Web + Jetty. > > Currently I build a custom distribution that Pax Web configuration > (org.ops4j.pax.web.cfg) contains also this lines: > > === > org.ops4j.pax.web.ssl.clientauthwanted = true > org.ops4j.pax.web.ssl.clientauthneeded = true > > org.ops4j.pax.web.ssl.truststore=${karaf.etc}/truststore.jks > org.ops4j.pax.web.ssl.truststore.password=that-is-not-the-real-one > === > > This distribution contains a bundle that registers a servlet "MyServlet". > > Now, just FYI, I assume not all is relevant: > > === > "MyServlet" extends the "WebSocketServlet" > (org.eclipse.jetty.websocket.servlet.WebSocketServlet). > Type hierarchy: MyServlet -> WebSocketServlet -> HttpServlet -> > GenericServlet [Servlet, ServletConfig, Serializable]. > > The WebSocketServlet requires the implementation of the abstract > method "public abstract void configure(WebSocketServletFactory > factory);" > > In the "configure" implementation is set a "creator". > > factory.setCreator(new MyCreator(...)); > > MyCreator implements the following method (required by the > WebSocketCreator interface): > > public @Nullable Object createWebSocket(final ServletUpgradeRequest > req, final ServletUpgradeResponse resp); > > In that method I do a simple certificate check. > > I call "final X509Certificate[] certs = req.getCertificates();" and > use the returned chain for the check. > > Now back to the relevant part. > === > > The current implementation of the client certificate chain check > relies that Jetty already required the client authentication > (clientauthneeded) and that the certificate is already checked against > the configured truststore (that contains only a special CA). > > As we could rely on a "valid" certifcate I just need to extract the > information I need from the client certifcate and "all is fine". > > > Now, I need to add another servlet to that custom distribution that > should work without a client certifcate. > > I assume I will need to remove the truststore and clientauth settings > from the configuration (keep wanted and drop needed?) and check the > certifcate in the code for "MyServlet" itself. > I further assume it should work by a filter or in the servlet itself. > > Are there better ways to handle two servlet > * Servlet1 needs client authentication > * Servlet2 do not use client authentication > > How can I trigger the check of the client certificate correctly in the > servlet / filter to check against a specific truststore? > > I am interested in your inputs. > > Best regards, > Markus >