[keycloak-user] Keycloak behind Apache with SSL - read certificate from body
Bill Burke
bburke at redhat.com
Thu Jul 7 16:25:22 EDT 2016
Don't you have to get the cert chain from a servlet request attribute?
This might work.
|HttpServletRequest httpServletRequest =
ResteasyProviderFactory.getContextData(HttpServletRequest.class);
X509Certificate[]certs
=(X509Certificate[])httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
|
On 7/7/16 10:53 AM, Filipe Lautert wrote:
> Hello
>
> short story: is there a way to get the request body sent from the
> client inside an Authenticator (my class implements Authenticator ,
> unsing method @Override authenticate(context)) ? I'm trying with
> context.getHttpRequest().getInputStream() but it is empty.
>
> Full story:
> I'm trying to build a Keycloak authenticator that reads a client
> certificate and uses it to validate the user, using as a base the
> SecretQuestionAuthenticator example . The client certificate is a hard
> token that is read by Firefox. To handle the certificate read part I'm
> usng Apache mod ssl, with the below relevant configuration:
>
> SSLEngineon
>
> SSLProxyEngineon
>
> <LocationMatch"/auth">
>
> ProxyPassajp://localhost:8010/auth
>
> ProxyPassReverseajp://localhost:8010/auth
>
> </LocationMatch>
>
> SSLOptions+StdEnvVars+ExportCertData
>
> ... etc
>
>
> Looking at a tcpdump/wireshark on port 8010, I can see that the client
> certificate is sent on the request body to Keycloak.
>
>
> So far fine, Apache validates the certificate, extracts it and send to
> Keycloak. The problem is that I'm unable to read the request body
> inside my authenticator class as
> context.getHttpRequest().getInputStream() is empty, and as the body is
> the raw certificate the method
> context.getHttpRequest().getFormParameters() method won't return me
> anything.
>
>
> public class SecretQuestionAuthenticator implements Authenticator {
>
> @Override
>
> public void authenticate(AuthenticationFlowContext context) {
>
> System.out.println(context.getHttpRequest().getInputStream().available());
> // prints
> 0System.out.println(getStringFromInputStream(context.getHttpRequest().getInputStream()));
> //empty :(
>
>
> Any ideas of how I can get it to work?
>
>
> Thanks
>
>
> filipe
>
> --
> filipe lautert
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160707/bd27be94/attachment-0001.html
More information about the keycloak-user
mailing list