With two-way-ssl exchange.getRequest().getSslInfo() always null [SPR-16507]

[spring-projects-issues]

Henning Vogt opened SPR-16507 and commented

Affected spring-boot configurations: Tomcat or Jetty Embedded (netty works)
If using two-way-ssl, the getSslInfo() is always null due to apparently wrong attribute used. The spec notes a different attribute that contains the x509Certificate (see below)

class org.springframework.http.server.reactive.ServletServerHttpRequest, in method initSslInfo()

Instead of java.security.cert.X509Certificate it should read the attribute javax.servlet.request.X509Certificate to return the certificate. This is statet here https://tomcat.apache.org/tomcat-8.5-doc/servletapi/javax/servlet/ServletRequest.html and https://docs.oracle.com/javaee/7/api/javax/servlet/ServletRequest.html

I think it's safe, just to rename this, since the spec says it, and I had the problem in real life, too. Don't know where the initial property came from, see reference URL.

---

Affects: 5.0.3

Reference URL: #20516

Issue Links:

• "Want" two-way-ssl not containing SSL-Certificate is not checkable due to contract violation [SPR-16842] #21382 "Want" two-way-ssl not containing SSL-Certificate is not checkable due to contract violation

Referenced from: commits dcf5c64

[spring-projects-issues]

Rossen Stoyanchev commented

Indeed that was a typo. The Servlet spec 3.10:

If there is an SSL certificate associated with the request, it must be exposed by the
servlet container to the servlet programmer as an array of objects of type
java.security.cert.X509Certificate and accessible via a ServletRequest
attribute of javax.servlet.request.X509Certificate .