Improve client certificate auth

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
index 7b7207ef3e32536b84b8c67f099617ca14d42fe1..48220a86876b7db2b3092ad9395757cc648514c5 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/HttpSessionLoginModule.java
@@ -201,6 +201,14 @@ public class HttpSessionLoginModule implements LoginModule {
                if (null != certs && certs.length > 0) {
                        sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certs[0].getSubjectX500Principal().getName());
                        sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, certs);
+               } else {
+                       // When client has been verified by reverse proxy
+                       String certDn = req.getHeader("SSL_CLIENT_S_DN");
+                       if (certDn != null) {
+                               sharedState.put(CmsAuthUtils.SHARED_STATE_NAME, certDn);
+                               String issuerDn = req.getHeader("SSL_CLIENT_I_DN");
+                               sharedState.put(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN, issuerDn);
+                       }
                }
        }
 

diff --git a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
index 83accceb4d6f1047a6a4eb9ba11b120a2f40db13..b50bf8ac4699ba5098fff3cac93d041d5c687efd 100644 (file)
--- a/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
+++ b/org.argeo.cms/src/org/argeo/cms/auth/UserAdminLoginModule.java
@@ -5,7 +5,6 @@ import static org.argeo.naming.LdapAttrs.description;
 
 import java.io.IOException;
 import java.security.PrivilegedAction;
-import java.security.cert.X509Certificate;
 import java.time.Instant;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -86,7 +85,7 @@ public class UserAdminLoginModule implements LoginModule {
                UserAdmin userAdmin = Activator.getUserAdmin();
                final String username;
                final char[] password;
-               X509Certificate[] certificateChain = null;
+               Object certificateChain = null;
                if (sharedState.containsKey(CmsAuthUtils.SHARED_STATE_NAME)
                                && sharedState.containsKey(CmsAuthUtils.SHARED_STATE_PWD)) {
                        // NB: required by Basic http auth
@@ -103,8 +102,8 @@ public class UserAdminLoginModule implements LoginModule {
                                e.printStackTrace();
                                return false;
                        }
-                       username = ldapName.getRdn(ldapName.size()-1).getValue().toString();
-                       certificateChain = (X509Certificate[]) sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
+                       username = ldapName.getRdn(ldapName.size() - 1).getValue().toString();
+                       certificateChain = sharedState.get(CmsAuthUtils.SHARED_STATE_CERTIFICATE_CHAIN);
                        password = null;
                } else if (singleUser) {
                        username = OsUserUtils.getOsUsername();