We run a REST service using embedded Tomcat. Our app requires Mutual TLS to authenticate and authorizes by extracts the CN from the client certificate and verifies the permissions in a set of authorized users.
This works fine with a reverse proxy, like Nginx using a config which extracts the CN and passes it in the HTTP header:
proxy_set_header X-SSL-Client-CN $ssl_client_s_dn_cn;
Instead, is it possible in embedded Tomcat to extract the CN instead of using a reverse proxy?
..and as a Tomcat committer I'd say, RTFM.
The SSLValve will read the Base 64 PEM public cert of your client, inject the X509Certificate and then your Realm can provide a X509UsernameRetriever to read out what you need.