Mutual TLS with embedded Tomcat and Common Name (CN)

Question

We run a REST service using embedded Tomcat. Our app requires Mutual TLS to authenticate and authorizes by extracts the CN from the client certificate and verifies the permissions in a set of authorized users.

This works fine with a reverse proxy, like Nginx using a config which extracts the CN and passes it in the HTTP header:

proxy_set_header X-SSL-Client-CN $ssl_client_s_dn_cn;

Instead, is it possible in embedded Tomcat to extract the CN instead of using a reverse proxy?

We've not found way to do this in Tomcat w/out a reverse proxy — Brad Schoening, Mar 11 '20 at 17:07

score 1 · Accepted Answer · answered Mar 11 '20 at 20:27

1

..and as a Tomcat committer I'd say, RTFM. The SSLValve will read the Base 64 PEM public cert of your client, inject the X509Certificate and then your Realm can provide a X509UsernameRetriever to read out what you need.

answered Mar 11 '20 at 20:27

Michael-O

18,123
6
55
121

Mutual TLS with embedded Tomcat and Common Name (CN)

1 Answers1