3

I have a scenario where I have few rest web services, of which few need to enforce mutual ssl and few should just have one way ssl, here its same web application.

Is that possible in tomcat/Spring based application?

ViS
  • 1,357
  • 1
  • 17
  • 36
  • Did you manage to find a solution for the problem. I am also stuck up in making only of the API of an application one way and the others only mutual? – Manu May 09 '16 at 10:32
  • yes, I have posted the answer now check if it helps. – ViS May 09 '16 at 20:39

3 Answers3

4

Sorry for replying late, yes I did this, not sure if the best way but kind of a hack.

Step 1: Have one way SSL set with clientAuth=want in your tomcat. This will fix your scenario where you want to have one way ssl for all the webservices accept that one which needs extra/mutual authentication.

Step 2: Now for the web service which needs mutual ssl. Write a servlet filter and for that particular web service url check the incoming http request for certificates. loop through the certs found in the request and match it with the certs from your trust store. if you found the match let the request flow proceed, if not return an exception as SSL cert not found.

X509Certificate[] certificates = (X509Certificate[]) request
                    .getAttribute("javax.servlet.request.X509Certificate");

The above code will give you array of cert in your request.

Note: Make sure your SSL configuration is correct or else the certificates variable stays null.

ViS
  • 1,357
  • 1
  • 17
  • 36
  • Thanks for the posting the answer.I am using spring security 4 +spring boot and have MultiHttpSecurityConfig implementation. But when i configure clientAuth=want the flow does not reach my custom MultiHttpSecurityConfig . – Manu May 15 '16 at 06:57
  • irrespective of the clientAuth value, we have a web service which needs mutual ssl right?, so this webservice has its own path/url. so make sure when this path or url gets hit, the call goes through as certain filter/class which does the SSL verification. And you should be good. it won't authomatically call ur implementation as we are doing a hack, you may need this particular web service call go through your own path. – ViS May 17 '16 at 15:38
1

If you can use different hosts (assuming the client and server support SNI) or ports, then this should be no problem.

Unfortunately, you cannot vary the SSL configuration based on the URL's path since it is only available after the SSL connection has been established. Your only option in that case would be to make the client certificate optional and ignore any certificates sent for the URLs that do not require it.

In either case, you will almost certainly be better off letting something like Nginx or Apache httpd handle the SSL part and pass any data about the client's certificate (or lack thereof) to your Spring / Tomcat app in an HTTP header.

  • Thanks Nathan, What if I try to use the loadBalancer to navigate the traffic between mutual https enabled and https port depending on the url, and then in the web.xml as below ,depending on the url pattern enforce the sercurity constraints, /somepath* CONFIDENTIAL – ViS Oct 15 '15 at 16:58
0

You can use TLS ("one-way") for your whole site and then only demand a client certificate when authentication is required. Set your TLS <Connector>'s clientAuth attribute to want and set your auth-method in web.xml to be CLIENT-CERT. That ought to do it.

Christopher Schultz
  • 20,221
  • 9
  • 60
  • 77