tomcatreverse-proxymutual-authenticationembedded-tomcat

Mutual TLS with embedded Tomcat and Common Name (CN)


We run a REST service using embedded Tomcat. Our app requires Mutual TLS to authenticate and authorizes by extracts the CN from the client certificate and verifies the permissions in a set of authorized users.

This works fine with a reverse proxy, like Nginx using a config which extracts the CN and passes it in the HTTP header:

proxy_set_header X-SSL-Client-CN $ssl_client_s_dn_cn;

Instead, is it possible in embedded Tomcat to extract the CN instead of using a reverse proxy?


Solution

  • ..and as a Tomcat committer I'd say, RTFM. The SSLValve will read the Base 64 PEM public cert of your client, inject the X509Certificate and then your Realm can provide a X509UsernameRetriever to read out what you need.