1

I am trying to configure camel jetty based rest endpoint for certificate. Whenever I send a request to https endpoint without the client certificate it still works i.e., there is a valid response from rest endpoint. How do I make sure that a) Only clients with valid certificates can make request b) Raise exception 500 for unauthorized clients or without proper certificates.

Main Class

    CamelContext context = new DefaultCamelContext();
    context.setStreamCaching(true);
    
    KeyStoreParameters ksp = new KeyStoreParameters();
    ksp.setResource("src/main/resources/security/keystore.jks");
    ksp.setPassword("password");

    KeyManagersParameters kmp = new KeyManagersParameters();
    kmp.setKeyStore(ksp);
    kmp.setKeyPassword("password");
    
    SSLContextParameters scp = new SSLContextParameters();
    scp.setKeyManagers(kmp);

    JettyHttpComponent9 jettyComponent = context.getComponent("jetty", JettyHttpComponent9.class);
    jettyComponent.setSslContextParameters(scp);
    
    context.addRoutes(new HelloRoute());
    context.start();

On the camel route

@Override
public void configure() throws Exception {

    onException(Exception.class)
        .handled(true)
        .setHeader(Exchange.HTTP_RESPONSE_CODE, constant(500))
        .setBody(simple("${exception.message}\n"));
    
    restConfiguration()
        .component("jetty")
        .host("0.0.0.0")
        .port("6625")
        .scheme("https")
        .componentProperty("minThreads", "1")
        .componentProperty("maxThreads", "16");

    rest("/req/").consumes("application/json").produces("application/json")
        .post().to("direct:helloRoute");
         
    
    from("direct:helloRoute").convertBodyTo(String.class) 
        .choice()
            .when().jsonpath("$.Header[?(@.MessageType == 'Hello')]",true)
                .bean(HelloRoute.class, "helloRoute")
            .otherwise()
                .bean(HelloRoute.class,"otherwiseRoute")
        .endChoice();   
}
Vikrant
  • 63
  • 1
  • 1
  • 8

1 Answers1

1

Your javax.net.ssl.SSLParameters needs to have .setNeedClientAuth(true).

See: https://docs.oracle.com/javase/8/docs/api/javax/net/ssl/SSLParameters.html#setNeedClientAuth-boolean-

The authentication occurs at the TLS level.

There will be no way to return an HTTP status code if your clients fail to authenticate, as that authentication occurs well ahead of the HTTP layer even being present for request or response. The TLS layer will terminate the connection.

Joakim Erdfelt
  • 46,896
  • 7
  • 86
  • 136
  • Thank you. To set .setNeedClientAuth(true) in camel I added to Main the following code - SSLContextServerParameters scsp = new SSLContextServerParameters(); scsp.setClientAuthentication("REQUIRE"); SSLContextParameters scp = new SSLContextParameters(); scp.setServerParameters(scsp); – Vikrant Oct 27 '20 at 13:43