Package org.keycloak.services.x509
Class NginxProxySslClientCertificateLookup
java.lang.Object
org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
org.keycloak.services.x509.NginxProxySslClientCertificateLookup
- All Implemented Interfaces:
Provider
,X509ClientCertificateLookup
public class NginxProxySslClientCertificateLookup
extends AbstractClientCertificateFromHttpHeadersLookup
The NGINX Provider extract end user X.509 certificate send during TLS mutual authentication,
and forwarded in an http header.
NGINX configuration must have :
server {
...
ssl_client_certificate path-to-my-trustyed-cas-for-client-auth.pem;
ssl_verify_client on|optional_no_ca;
ssl_verify_depth 2;
...
location / {
...
proxy_set_header ssl-client-cert $ssl_client_escaped_cert;
...
}
Note that $ssl_client_cert is deprecated, use only $ssl_client_escaped_cert with this implementation- Since:
- 10/09/2018
- Version:
- $Revision: 1 $
- Author:
- Arnault MICHEL
-
Field Summary
Fields inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
certificateChainLength, logger, sslCertChainHttpHeaderPrefix, sslClientCertHttpHeader
-
Constructor Summary
ConstructorDescriptionNginxProxySslClientCertificateLookup
(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded) -
Method Summary
Modifier and TypeMethodDescriptionprotected X509Certificate
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.getCertificateChain
(HttpRequest httpRequest) Returns a client certificate, and optionally any certificates in the certificate chain.Methods inherited from class org.keycloak.services.x509.AbstractClientCertificateFromHttpHeadersLookup
close, getCertificateFromHttpHeader
-
Constructor Details
-
NginxProxySslClientCertificateLookup
public NginxProxySslClientCertificateLookup(String sslClientCertHttpHeader, String sslCertChainHttpHeaderPrefix, int certificateChainLength, Set<X509Certificate> intermediateCerts, Set<X509Certificate> trustedRootCerts, boolean isTruststoreLoaded)
-
-
Method Details
-
decodeCertificateFromPem
Decoding end user certificate, including URL decodeding due to ssl_client_escaped_cert nginx variable.- Specified by:
decodeCertificateFromPem
in classAbstractClientCertificateFromHttpHeadersLookup
- Throws:
PemException
-
getCertificateChain
public X509Certificate[] getCertificateChain(HttpRequest httpRequest) throws GeneralSecurityException Description copied from interface:X509ClientCertificateLookup
Returns a client certificate, and optionally any certificates in the certificate chain.- Specified by:
getCertificateChain
in interfaceX509ClientCertificateLookup
- Overrides:
getCertificateChain
in classAbstractClientCertificateFromHttpHeadersLookup
- Returns:
- Throws:
GeneralSecurityException
-