java - getAttribute("javax.servlet.request.X509Certificate") not set (Spring,CXF,Jetty,JAX-RSv1.1) -
java - getAttribute("javax.servlet.request.X509Certificate") not set (Spring,CXF,Jetty,JAX-RSv1.1) -
my client implements two-way ssl in next way:
private final static string keystore = "/security/client.jks"; private final static string keystore_password = "secret"; private final static string keystore_type = "jks"; private final static string truststore = "/security/certificates.jks"; private final static string truststore_password = "secret"; private final static string truststore_type = "jks"; ... keystore keystore = keystore.getinstance(keystore_type); fileinputstream keystoreinput = new fileinputstream(new file(keystore)); keystore.load(keystoreinput, keystore_password.tochararray()); keystore truststore = keystore.getinstance(truststore_type); fileinputstream truststoreis = new fileinputstream(new file(truststore)); truststore.load(truststoreis, truststore_password.tochararray()); sslsocketfactory socketfactory = new sslsocketfactory(keystore, keystore_password, truststore); scheme scheme = new scheme("https", 8543, socketfactory); schemeregistry registry = new schemeregistry(); registry.register(scheme); clientconnectionmanager ccm = new poolingclientconnectionmanager(registry); httpclient = new defaulthttpclient(ccm); httpresponse response = null; httpget httpget = new httpget("https://mylocalhost.com:8543/test"); response = httpclient.execute(httpget); ...and seek retrieve x.509 certificate on server's side client via javax.servlet.http.httpservletrequest.getattribute("javax.servlet.request.x509certificate") decribed here: http://tomcat.apache.org/tomcat-5.5-doc/servletapi/javax/servlet/servletrequest.html#getattribute%28java.lang.string%29.
i httpservletrequest on server's side via: httpservletrequest servletrequest = (httpservletrequest) msg.get("http.request"); via handlemessage(message msg) method of interceptor class extends abstractphaseinterceptor<message>. have utilize jax-rs 1.1.1 on server's side because of maven dependencies not allowed alter , cannot utilize containerrequestfilter (supported jax-rs 2.0 on).
my problem getattribute("javax.servlet.request.x509certificate") on server's side returns null time. if verify traffic between server , client, can see certificate server sent client, handshake works. cannot see client certificate sent server , think reason why getattribute("javax.servlet.request.x509certificate") returns null. know how can solve problem? tried other implementations on client's side already, no change.
what doing wrong? many in advance!
additional information: have seen on server's side javax.servlet.request.ssl_session_id, javax.servlet.request.key_size , javax.servlet.request.cipher_suite set, key javax.servlet.request.x509certificate not set. i'm using jetty server 8.1.15, apache cxf 2.7.x , jax-rs 1.1.1. tried jetty configuration via http://cxf.apache.org/docs/jetty-configuration.html , http://cxf.apache.org/docs/secure-jax-rs-services.html#securejax-rsservices-configuringendpoints, attribute still isn't set.
problem solved. wasn't problem in code, certificate problem only. problem was beginner regarding x509 certificates well, handshake problem between server , client. in case, ssl/handshake debug helped me. debug log told server accepted client certificates specific ca, server told client required ca in certificate request during serverhello message. since client didn't have certificate ca, didn't send , connection between client , server closed then, result javax.servlet.request.x509certificate not set.
for others might bring together same problem sometime (which seems mutual ssl configuration problem regarding ibm mentioned in first link below), next sources helped me lot: - http://www-01.ibm.com/support/docview.wss?uid=swg27038122&aid=1 (pages 16 , 17) - http://java.dzone.com/articles/how-analyze-java-ssl-errors (shows handshake should look) - need help debugging ssl handshake in tomcat (shows how debug ssl errors in java) - https://thomas-leister.de/internet/eigene-openssl-certificate-authority-ca-erstellen-und-zertifikate-signieren/ (in german, maybe can find english language equivalent) - https://access.redhat.com/site/documentation/en-us/red_hat_jboss_fuse/6.0/html/web_services_security_guide/files/i382674.html (continuation of high german article) - http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/ (how create keystore , truststore)
after creating own ca, server , client certificate , after creating keystore , truststore both, attribute set now: - here15_1: javax.servlet.request.x509certificate - here16_2: class [ljava.security.cert.x509certificate; - here16_3: [ljava.security.cert.x509certificate;@43b8f002 server code able extract client certificate info now, too.
java ssl httpclient
Comments
Post a Comment