ViS ViS - 6 months ago 11
Java Question

IS it possible to have One way and mutual ssl for same web App same time depending on URLs

I have a scenario where I have few rest web services, of which few need to enforce mutual ssl and few should just have one way ssl, here its same web application.

Is that possible in tomcat/Spring based application?

ViS ViS
Answer

Sorry for replying late, yes I did this, not sure if the best way but kind of a hack.

Step 1: Have one way SSL set with clientAuth=want in your tomcat. This will fix your scenario where you want to have one way ssl for all the webservices accept that one which needs extra/mutual authentication.

Step 2: Now for the web service which needs mutual ssl. Write a servlet filter and for that particular web service url check the incoming http request for certificates. loop through the certs found in the request and match it with the certs from your trust store. if you found the match let the request flow proceed, if not return an exception as SSL cert not found.

X509Certificate[] certificates = (X509Certificate[]) request
                    .getAttribute("javax.servlet.request.X509Certificate");

The above code will give you array of cert in your request.

Note: Make sure your SSL configuration is correct or else the certificates variable stays null.