1

I have Spring Boot REST controller that uses mutual HTTPS authentication with keystores on both server and client side. The server side has the controller class with @RequestMapping. HTTPS between server and client seems otherwise working fine.

There are multiple clients that have different they matching entries configured on the server trust store. When inside the controller body, I need to know which trust store entry has been used to authenticate the current client.

I have attempted the answer for this question using the injected HttpServetRequest (method parameter), but there is nothing on the request parameters. Unfortunately, seems that request.getAttribute("javax.servlet.request.X509Certificate") just returns null, even if I am sure the interaction was via HTTPS. request.getAttribute("javax.servlet.request.cipher_suite") returns TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256.

How to get from withing the Spring Rest Controller method any information about which certificate is being used?

Spring framework 4.3.11.RELEASE, embedded Tomcat 8.0.23, Spring Boot 1.5.1.RELEASE.

Audrius Meškauskas
  • 20,936
  • 12
  • 75
  • 93
  • Did you enable tomcat's clientAuth and set the truststore? Try to debug the SSL connection at client or server side to ensure the client is presenting a certificate. – pedrofb Oct 31 '17 at 09:16
  • This comment provides answer to the question. connector.setAttribute("clientAuth", "true") is that was missing. If you convert to answer, I accept. – Audrius Meškauskas Oct 31 '17 at 09:22

1 Answers1

1

As stated in the comments, it is necessary to enable client authentication

Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
...
connector.setAttribute("clientAuth", "true")

In addition, to ensure that the client is presenting a certificate, it is possible to debug the SSL connection at client or server side

Audrius Meškauskas
  • 20,936
  • 12
  • 75
  • 93
pedrofb
  • 37,271
  • 5
  • 94
  • 142