Package org.keycloak.services.x509

Class NginxProxySslClientCertificateLookup

java.lang.Object

org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

org.keycloak.services.x509.NginxProxySslClientCertificateLookup

All Implemented Interfaces:

Provider, X509ClientCertificateLookup

public class NginxProxySslClientCertificateLookup
extends AbstractClientCertificateFromHttpHeadersLookup

The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header. NGINX configuration must have : server { ... ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem; ssl_verify_client on|optional_no_ca; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... } Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation

Since:

10/09/2018

Version:

$Revision: 1 $

Author:

Arnault MICHEL

Field Summary

Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader

Constructor Summary

Constructors

Constructor	Description
NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded)

Method Summary

Modifier and Type	Method	Description
protected X509Certificate	decodeCertificateFromPem(String pem)	Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.
X509Certificate[]	getCertificateChain(HttpRequest httpRequest)	Returns a client certificate, and optionally any certificates in the certificate chain.

Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup

close, getCertificateFromHttpHeader

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

NginxProxySslClientCertificateLookup

public NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader,
                                            String sslCertChainHttpHeaderPrefix,
                                            int certificateChainLength,
                                            Set<X509Certificate> intermediateCerts,
                                            Set<X509Certificate> trustedRootCerts,
                                            boolean isTruststoreLoaded)

Method Detail

decodeCertificateFromPem

protected X509Certificate decodeCertificateFromPem(String pem)
                                            throws PemException

Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.

Specified by:

decodeCertificateFromPem in class AbstractClientCertificateFromHttpHeadersLookup

Throws:

PemException

getCertificateChain

public X509Certificate[] getCertificateChain(HttpRequest httpRequest)
                                      throws GeneralSecurityException

Description copied from interface: X509ClientCertificateLookup

Returns a client certificate, and optionally any certificates in the certificate chain.

Specified by:

getCertificateChain in interface X509ClientCertificateLookup

Overrides:

getCertificateChain in class AbstractClientCertificateFromHttpHeadersLookup

Returns:

Throws:

GeneralSecurityException