WebFlux Should Communicate X509 Authentication [SPR-15964]

[spring-projects-issues]

Rob Winch opened SPR-15964 and commented

X509 authentication occurs at the socket connection and thus must be done by the container (i.e. Netty). However, many applications need to perform authorization based upon the X509 certificate.

To solve this in the servlet world, the X509 certificate is communicated to the user using a HttpServletRequest.getAttribute

The WebFlux abstraction should provide a mechanism to communicate the X509 certificate to the user.

---

Affects: 5.0 RC4

Referenced from: commits 87375fe

[spring-projects-issues]

Rossen Stoyanchev commented

The Servlet API (section 3.10 "SSL Attributes") mandates the following request attribute:

Attribute	Attribute Name	Java Type
cipher suite	javax.servlet.request.cipher_suite	String
bit size of the algorithm	javax.servlet.request.key_size	Integer
SSL session id	javax.servlet.request.ssl_session_id	String
SSL certificate chain	java.security.cert.X509Certificate	javax.servlet.request.X509Certificate[]

For Netty it looks like SslHandler.engine().getSession() can give us access to a javax.net.ssl.SSLSession. Typically the application creates an SslContext, either with Open SSL or JDK provider, and that's used then to create the SslHandler as shown in SecureChat in the Netty sources. SSLSession has the same information that's exposed via request attributes in the Servlet API (and Tomcat extracts the same from an SSLSession too).

The Undertow HttpServerExchange.getConnection() has SSLSession getSslSession() and SSLSessionInfo getSslSessionInfo().

So we can expose some SSL info object via ServerHttpRequest that matches what's available via ServletRequest attributes. Rob Winch just curious if all of those ServletRequest attributes are of use to you, should we expose all of them?

One challenge still is that SSLSession only provides access to a Certificate[] getPeerCertificates() while X509Certificate[] getPeerCertificateChain() (which returns the X590Certificate from the javax.security and not from java.security) is deprecated in Java 9. So to have a uniform API we need to somehow create X509Certificate[] from SSLSession. Maybe something like what Tomcat does?

[spring-projects-issues]

Rossen Stoyanchev commented

ServerHttpRequest now provides a getSslInfo() method.