httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mathieu Seillier <>
Subject [users@httpd] Forward client cert with no HTTPS
Date Wed, 12 Oct 2011 17:33:29 GMT
Hi all

I Have an Apache Web Server v2.2.14 which is used as a front-end for a
Tomcat Server v5.5. The connector between servers is mod_jk v1.2.28.
So the Tomcat Server is behind the Apache Server, itself behind an IPS
(Intrusion Prevention System). The IPS is in a DMZ, and HTTPS/SSL is enabled
only in this area. So there is NO HTTPS/SSL nor on Apache or on Tomcat.
The users of my application authenticate with an x509 certificate contained
in a USB device. The SSL mutual authentication is done by the IPS. After
that, all is in HTTP.

What I want is to get the client's certificate on Tomcat, to perform further
business check in my application.
The only thing that I know is that, after mutual SSL authentication, the IPS
put the client certificate in the HTTP header with the value

My questions are :
1/ is Apache able to forward the client's certificate to Tomcat, even there
is no HTTPS on Apache and Tomcat ? (maybe using JkEnvVar ?)
2/ the value "X-SSL_CLIENT_CERT" to store the cert in http header : is it
standard ? is there a difference with "SSL_CLIENT_CERT" ? If not standard,
this could be modified.
3/ Ideally, is there a way with Apache to put the client's certificate as a
request attribute "javax.servlet.request.X509Certificate" ? (because I use
Spring Security in my app, and X509 authentication with Spring Security uses
request.getAttribute("javax.servlet.request.X509Certificate") to get the
cert and authenticate)

PS1 : I would have run some tests myself, but I have to write quickly a
specification without having all I need to test if what I write is good :(
PS2 : Sorry if my english is bad because I'm french...

Thanx in advance


View raw message