Intercepting and forwarding client certificate to webservice

Question

I have a web application (gwt) that is running on a tomcat application server. This web application consumes several web services (login, application data transfer, queries, etc.). The web service client on the tomcat is implemented as apache axis2 web service client.

For user log on I provide a form in the web application with username and password. This data are transmitted via web service to authenticate the user.

It is planned to change the hole authentication mechanism to client certificated based authentication. The authentication still should be done on the web service provider side. So my system has three relevant components: the web client, the tomcat application server and the web service provider.

Every user of the application has its own private client certificate (PKI Token, X.509- Auth-Cert). When the user connects to the web application his certificate is requested.

How can I forward the client certificates for use in the web services? (The tomcat will not be responsible for authentication).

1.) Is there a way to intercept the request and extract the client certificates before authentication error occurred? I found some information about Servlet Filters what sounds really good, but I’m not sure where to implement it to intercept the certificates before they are verified against tomcats keystore.

2.) If it is possible, how can I pass after the client certificate to the web service?

Thank you for reading

Answer 1

No, not really. The real piece used in authentication is the private key associated with the certificate, not just the certificate itself. And, typically, you have no way of retrieving that from the web client. Therefore, you cannot really pass-through the credentials you receive from a web client on to the web service client. The certificate itself is readily available, but is useless for authentication without the corresponding private key.