[keycloak-user] Keycloak behind Apache with SSL - read certificate from body

Filipe Lautert filipelautert at gmail.com
Fri Jul 8 10:11:05 EDT 2016


Hi

thanks Bill, it worked - I wasn't aware of class ResteasyProviderFactory .

Cheers

filipe

On Thu, Jul 7, 2016 at 5:25 PM Bill Burke <bburke at redhat.com> wrote:

> Don't you have to get the cert chain from a servlet request attribute?
> This might work.
>
>
>     HttpServletRequest httpServletRequest = ResteasyProviderFactory.getContextData(HttpServletRequest.class);
>     X509Certificate[] certs = (X509Certificate[]) httpServletRequest.getAttribute("javax.servlet.request.X509Certificate");
>
>
>
>
> On 7/7/16 10:53 AM, Filipe Lautert wrote:
>
> Hello
>
> short story: is there a way to get the request body sent from the client
> inside an Authenticator (my class implements Authenticator , unsing
> method @Override authenticate(context)) ? I'm trying with context.getHttpRequest().getInputStream()
> but it is empty.
>
> Full story:
> I'm trying to build a Keycloak authenticator that reads a client
> certificate and uses it to validate the user, using as a base the
> SecretQuestionAuthenticator example . The client certificate is a hard
> token that is read by Firefox. To handle the certificate read part I'm usng
> Apache mod ssl, with the below relevant configuration:
>
> SSLEngine on
>
> SSLProxyEngine on
>
>                 <LocationMatch "/auth">
>
>                         ProxyPass ajp://localhost:8010/auth
>
>                         ProxyPassReverse ajp://localhost:8010/auth
>
>                 </LocationMatch>
>
> SSLOptions +StdEnvVars +ExportCertData
>
> ... etc
>
>
> Looking at a tcpdump/wireshark on port 8010, I can see that the client
> certificate is sent on the request body to Keycloak.
>
>
> So far fine, Apache validates the certificate, extracts it and send to
> Keycloak. The problem is that I'm unable to read the request body inside my
> authenticator class as context.getHttpRequest().getInputStream() is
> empty, and as the body is the raw certificate the method context.getHttpRequest().getFormParameters()
> method won't return me anything.
>
>
> public class SecretQuestionAuthenticator implements Authenticator {
>
> @Override
>
> public void authenticate(AuthenticationFlowContext context) {
>
> System.out.println(context.getHttpRequest().getInputStream().available());
> // prints 0 System.out.println(getStringFromInputStream(context.getHttpRequest().getInputStream()));
> //empty :(
>
>
> Any ideas of how I can get it to work?
>
>
> Thanks
>
>
> filipe
> --
> filipe lautert
>
>
> _______________________________________________
> keycloak-user mailing listkeycloak-user at lists.jboss.orghttps://lists.jboss.org/mailman/listinfo/keycloak-user
>
>
> _______________________________________________
> keycloak-user mailing list
> keycloak-user at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-user

-- 
filipe lautert
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.jboss.org/pipermail/keycloak-user/attachments/20160708/9b82b2a7/attachment.html 


More information about the keycloak-user mailing list