Package org.keycloak.services.x509
Class NginxProxySslClientCertificateLookup
- java.lang.Object
-
- org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
-
- org.keycloak.services.x509.NginxProxySslClientCertificateLookup
-
- All Implemented Interfaces:
Provider
,X509ClientCertificateLookup
public class NginxProxySslClientCertificateLookup extends AbstractClientCertificateFromHttpHeadersLookup
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication, and forwarded in an http header. NGINX configuration must have :server { ... ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem; ssl_verify_client on|optional_no_ca; ssl_verify_depth 2; ... location / { ... proxy_set_header ssl-client-cert $ssl_client_escaped_cert; ... }
Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation- Since:
- 10/09/2018
- Version:
- $Revision: 1 $
- Author:
- Arnault MICHEL
-
-
Field Summary
-
Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
-
-
Constructor Summary
Constructors Constructor Description NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded)
-
Method Summary
All Methods Instance Methods Concrete Methods Modifier and Type Method Description protected X509Certificate
decodeCertificateFromPem(String pem)
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.X509Certificate[]
getCertificateChain(HttpRequest httpRequest)
Returns a client certificate, and optionally any certificates in the certificate chain.-
Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateFromHttpHeader
-
-
-
-
Constructor Detail
-
NginxProxySslClientCertificateLookup
public NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded)
-
-
Method Detail
-
decodeCertificateFromPem
protected X509Certificate decodeCertificateFromPem(String pem) throws PemException
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.- Specified by:
decodeCertificateFromPem
in classAbstractClientCertificateFromHttpHeadersLookup
- Throws:
PemException
-
getCertificateChain
public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException
Description copied from interface:X509ClientCertificateLookup
Returns a client certificate, and optionally any certificates in the certificate chain.- Specified by:
getCertificateChain
in interfaceX509ClientCertificateLookup
- Overrides:
getCertificateChain
in classAbstractClientCertificateFromHttpHeadersLookup
- Returns:
- Throws:
GeneralSecurityException
-
-