Hi, I'm not sure it's what you are looking for, but you can configure several connectors via jetty.xml (in addition of the default one created by Pax Web), then, you can use "VirtualHost" to deploy a servlet on a specific connector.
I blogged about this while ago (http://blog.nanthrax.net/?p=352). Regards JB On 16/05/2019 08:12, Markus Rathgeb wrote: > Hi, > > I assume there are different parties involved, so if this question > should be raised on another mailing list, please can you point me to? > > I am using Karaf + Pax Web + Jetty. > > Currently I build a custom distribution that Pax Web configuration > (org.ops4j.pax.web.cfg) contains also this lines: > > === > org.ops4j.pax.web.ssl.clientauthwanted = true > org.ops4j.pax.web.ssl.clientauthneeded = true > > org.ops4j.pax.web.ssl.truststore=${karaf.etc}/truststore.jks > org.ops4j.pax.web.ssl.truststore.password=that-is-not-the-real-one > === > > This distribution contains a bundle that registers a servlet "MyServlet". > > Now, just FYI, I assume not all is relevant: > > === > "MyServlet" extends the "WebSocketServlet" > (org.eclipse.jetty.websocket.servlet.WebSocketServlet). > Type hierarchy: MyServlet -> WebSocketServlet -> HttpServlet -> > GenericServlet [Servlet, ServletConfig, Serializable]. > > The WebSocketServlet requires the implementation of the abstract > method "public abstract void configure(WebSocketServletFactory > factory);" > > In the "configure" implementation is set a "creator". > > factory.setCreator(new MyCreator(...)); > > MyCreator implements the following method (required by the > WebSocketCreator interface): > > public @Nullable Object createWebSocket(final ServletUpgradeRequest > req, final ServletUpgradeResponse resp); > > In that method I do a simple certificate check. > > I call "final X509Certificate[] certs = req.getCertificates();" and > use the returned chain for the check. > > Now back to the relevant part. > === > > The current implementation of the client certificate chain check > relies that Jetty already required the client authentication > (clientauthneeded) and that the certificate is already checked against > the configured truststore (that contains only a special CA). > > As we could rely on a "valid" certifcate I just need to extract the > information I need from the client certifcate and "all is fine". > > > Now, I need to add another servlet to that custom distribution that > should work without a client certifcate. > > I assume I will need to remove the truststore and clientauth settings > from the configuration (keep wanted and drop needed?) and check the > certifcate in the code for "MyServlet" itself. > I further assume it should work by a filter or in the servlet itself. > > Are there better ways to handle two servlet > * Servlet1 needs client authentication > * Servlet2 do not use client authentication > > How can I trigger the check of the client certificate correctly in the > servlet / filter to check against a specific truststore? > > I am interested in your inputs. > > Best regards, > Markus > -- Jean-Baptiste Onofré jbono...@apache.org http://blog.nanthrax.net Talend - http://www.talend.com
