gwtspring-securitypre-authentication

Spring Security X.509 Preauth


I'm using Spring Security 2.x's Preauthentication with X.509 certificates.

I get the certificateText via HttpServletRequest.getAttribute("CERTIFICATE").

Sometimes, the above call returns "" (empty). I believe it occurs when the HTTP session has expired.

What would explain why HttpServletRequest.getAttribute("CERT") returns empty?

EDIT In Kerberos, for example, the ticket is available in every HTTP request. Is the cert not always in X.509 HTTP requests?


Solution

    1. Please access to certificate using this code: X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
    2. Certificate is always populated to request after successful client certificate authentication.

    Ensure your support long certificate chain:

    1. Add the max_packet_size propery to the worker.properties file worker.ajp13w.max_packet_size=65536

    2. Add the packetSize propery to the configuration of Ajp connector in the Tomcat configuration \conf\server.xml <Connector port="8089" enableLookups="false" redirectPort="8443" protocol="AJP/1.3" packetSize="65536"/>

    Apache logs: http://httpd.apache.org/docs/2.2/logs.html#accesslog http://httpd.apache.org/docs/2.2/logs.html#errorlog http://httpd.apache.org/docs/2.2/mod/core.html#loglevel