Spring Security X.509 Preauth

StackOverflow https://stackoverflow.com/questions/16462300

I'm using Spring Security 2.x's Preauthentication with X.509 certificates.

I get the certificateText via HttpServletRequest.getAttribute("CERTIFICATE").

Sometimes, the above call returns "" (empty). I believe it occurs when the HTTP session has expired.

What would explain why HttpServletRequest.getAttribute("CERT") returns empty?

EDIT In Kerberos, for example, the ticket is available in every HTTP request. Is the cert not always in X.509 HTTP requests?

有帮助吗?

解决方案

  1. Please access to certificate using this code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
  2. Certificate is always populated to request after successful client certificate authentication.

Ensure your support long certificate chain:

  1. Add the max_packet_size propery to the worker.properties file worker.ajp13w.max_packet_size=65536

  2. Add the packetSize propery to the configuration of Ajp connector in the Tomcat configuration \conf\server.xml <Connector port="8089" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" packetSize="65536"/>

Apache logs: http://httpd.apache.org/docs/2.2/logs.html#accesslog http://httpd.apache.org/docs/2.2/logs.html#errorlog http://httpd.apache.org/docs/2.2/mod/core.html#loglevel

许可以下: CC-BY-SA归因
不隶属于 StackOverflow
scroll top