Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Mutual Client Authentication Get Certificate in Servlet

Tags:

java

ssl

tomcat6

I have setup a Tomcat 7.0 application server with mutual (client/server) authentication over SSL. To setup this configuration I needed to create a .jks file for the server and .pks certificate for in my web browser. After configuring the server.xml file in Tomcat I have mutual authentication and SSL working. Now I am attempting to grab the certificate in a servlet, however I cannot seem to grab the certificate from the request in the servlet. I can setup a filter that successfully pulls the certificate from the request. Can anyone provide me with a configuration/code that would allow me to grab the certificate from the servlet? I would also accept a reason for why I cannot get the certificate in the servlet.

Server.xml

<Connector
 clientAuth="true" port="8443" protocol="HTTP/1.1" SSLEnabled="true"
 scheme="https" secure="true"
 keystoreFile="C:/Users/Kevin Bowersox/Desktop/Development/My Certs/server.jks"
 keystoreType="JKS" keystorePass="notmypassword"
 truststoreFile="C:/Users/Kevin Bowersox/Desktop/Development/My Certs/server.jks"
 truststoreType="JKS" truststorePass="notmypassword"
 SSLVerifyClient="require" SSLVerifyDepth="2" sslProtocol="TLS"
/>

MyServlet.java - This throws a RuntimeException because certificate is not found when hitting url: https://localhost:8443/Sample_Application/MyServlet

protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
          X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
            if (null != certs && certs.length > 0) {
                System.out.println("cert found");
            }
            throw new RuntimeException("No X.509 client certificate found in request");
    }

MyServlet Mapping

<servlet>
    <description>
    </description>
    <display-name>MyServlet</display-name>
    <servlet-name>MyServlet</servlet-name>
    <servlet-class>MyServlet</servlet-class>
</servlet>
<servlet-mapping>
    <servlet-name>MyServlet</servlet-name>
    <url-pattern>/MyServlet</url-pattern>
</servlet-mapping>

MyFilter.java - Returns "cert found" when hitting url: https://localhost:8443/Sample_Application/test.jsp

public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
     X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
        if (null != certs && certs.length > 0) {
            System.out.println("cert found");
        }
        //throw new RuntimeException("No X.509 client certificate found in request");
    chain.doFilter(request, response);
}

My Filter Mapping

<filter>
    <description>
    </description>
    <display-name>MyFilter</display-name>
    <filter-name>MyFilter</filter-name>
    <filter-class>MyFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>MyFilter</filter-name>
    <url-pattern>*.jsp</url-pattern>
</filter-mapping>
like image 675
Kevin Bowersox Avatar asked Apr 21 '12 22:04

Kevin Bowersox


People also ask

What is mTLS certificate?

Mutual TLS, or mTLS for short, is a method for mutual authentication. mTLS ensures that the parties at each end of a network connection are who they claim to be by verifying that they both have the correct private key. The information within their respective TLS certificates provides additional verification.

How do I use client certificates in a client Java application?

Client Java Implementation First, we create an SSLSocket that establishes a connection with the server. In the background, the socket will set up the TLS connection establishment handshake. As part of this handshake, the client will verify the server's certificate and check that it's in the client truststore.


1 Answers

It is working. However, the Servlet is coded to always throws the RuntimeException so it looks like it isn't working.

like image 71
Mark Thomas Avatar answered Sep 23 '22 15:09

Mark Thomas