From 715f6820660b91d532e3bd75a53786267066e1a7 Mon Sep 17 00:00:00 2001
From: Mathieu Baudier <mbaudier@argeo.org>
Date: Tue, 13 Nov 2018 11:19:10 +0100
Subject: [PATCH] Improve client certificate auth

---
 .../src/org/argeo/cms/auth/HttpSessionLoginModule.java    | 8 ++++++++
 .../src/org/argeo/cms/auth/UserAdminLoginModule.java      | 7 +++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 7b7207ef3..48220a868 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -201,6 +201,14 @@ public class HttpSessionLoginModule implements LoginModule {
 		if (null != certs && certs.length > 0) {
 			sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
 			sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
+		} else {
+			// When client has been verified by reverse proxy
+			String certDn = req.getHeader("SSL_CLIENT_S_DN");
+			if (certDn != null) {
+				sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
+				String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
+				sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, issuerDn);
+			}
 		}
 	}
 
diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 83accceb4..b50bf8ac4 100644
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -5,7 +5,6 @@ import static org.argeo.naming.LdapAttrs.description;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -86,7 +85,7 @@ public class UserAdminLoginModule implements LoginModule {
 		UserAdmin userAdmin = Activator.getUserAdmin();
 		final String username;
 		final char[] password;
-		X509Certificate[] certificateChain = null;
+		Object certificateChain = null;
 		if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
 				&& sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
 			// NB: required by Basic http auth
@@ -103,8 +102,8 @@ public class UserAdminLoginModule implements LoginModule {
 				e.printStackTrace();
 				return false;
 			}
-			username = ldapName.getRdn(ldapName.size()-1).getValue().toString();
-			certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+			username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+			certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
 			password = null;
 		} else if (singleUser) {
 			username = OsUserUtils.getOsUsername();
-- 
2.30.2