How to list the client certs on the server side in a jetty server

Question

I have set up a Jetty server with ssl context updated with the keys and trust stores, and however, any client that has a valid certificate which the server trusts will be able to establish a TLS connection to the server.

However I need to know which client of all the possible trusted clients is currently making a request; in other words I need to know the client certificate used in this connection, in particular in the handler. Does anyone know how to access this certificate or if it is even possible?

I want to perform some custom checks on the certificate to further filter out the clients based on some fields in the cert their present to server ?

PS: I did try to look online and research a bit, but nothing seems to be working.

Answer 1

Start by adding the SecureRequestCustomizer to your HttpConfiguration that the ServerConnector is using.

This in turn will add several Request attributes that you can use to access the security information present on the connection and request/response exchange.

Example (from LikeJettyXml.java):

    // === jetty-http.xml ===
    ServerConnector http = new ServerConnector(server,
            new HttpConnectionFactory(http_config));
    http.setPort(8080);
    http.setIdleTimeout(30000);
    server.addConnector(http);


    // === jetty-https.xml ===
    // SSL Context Factory
    SslContextFactory sslContextFactory = new SslContextFactory();
    sslContextFactory.setKeyStorePath("config/etc/keystore");
    sslContextFactory.setKeyStorePassword(...);
    sslContextFactory.setKeyManagerPassword(...);
    sslContextFactory.setTrustStorePath("config/etc/keystore");
    sslContextFactory.setTrustStorePassword(..);

    // SSL HTTP Configuration
    HttpConfiguration https_config = new HttpConfiguration(http_config);
    https_config.addCustomizer(new SecureRequestCustomizer()); // <-- the magic line

    // SSL Connector
    ServerConnector sslConnector = new ServerConnector(server,
        new SslConnectionFactory(sslContextFactory,HttpVersion.HTTP_1_1.asString()),
        new HttpConnectionFactory(https_config));
    sslConnector.setPort(8443);
    server.addConnector(sslConnector);

Once this is in place, when you handle the request, you can access the Request attributes ...

• request.getAttribute("javax.servlet.request.X509Certificate") - an array of java.security.cert.X509Certificate used in the connection
• request.getAttribute("javax.servlet.request.cipher_suite") - the name of the cipher suite that was negotiated (type String)
• request.getAttribute("javax.servlet.request.key_size") - the key size (type Integer)
• request.getAttribute("javax.servlet.request.ssl_session_id") - the SSL session ID (type String)
• request.getAttribute("org.eclipse.jetty.servlet.request.ssl_session") - the active javax.net.ssl.SSLSession in use by the connection.

You should be able to get the information you need from one of these information sources. (Please don't change any values on these attributes, or risk all sorts of bizarre behavior)