spray-can: server side support for accessing X509Certificate of authenticated SSL client
81 views
Skip to first unread message
Michael Pilquist
Aug 31, 2013, 9:31:14 AM8/31/13
to spray...@googlegroups.com
I'm currently investigating using spray-can server support in place of spray-servlet. I don't see a way to access the X509Certificate of the client when using an SSLEngine that's been configured for client authentication. Specifically, I'm looking for the spray-can equivalent of HttpServletRequest#getAttribute("javax.servlet.request.X509Certificate").
Assuming this isn't implemented and I just missed it, would you be interested in a PR that adds support? Something along the lines of:
- a new header that provides info about the javax.net.ssl.SSLSession:
case class SSLSessionInfo(cipherSuite: String, peerCertificateChain: List[X509Certificate], ...)
- Changes in SslTlsSupport to provide the SSLSession (via engine.getSession)
If this sounds like a good path, let me know. I'm not intimately familiar with the pipeline stages in HttpServerConnection so any tips on how to get the SSLSession from SslTlsSupport in to the resulting HttpReqeust, it would be appreciated.
Regards,
Michael
Johannes Rudolph
Sep 1, 2013, 6:23:15 AM9/1/13
to spray...@googlegroups.com
On Sat, Aug 31, 2013 at 3:31 PM, Michael Pilquist <mpil...@gmail.com> wrote:
Assuming this isn't implemented and I just missed it, would you be interested in a PR that adds support? Something along the lines of:- a new header that provides info about the javax.net.ssl.SSLSession:case class SSLSessionInfo(cipherSuite: String, peerCertificateChain: List[X509Certificate], ...)- Changes in SslTlsSupport to provide the SSLSession (via engine.getSession)
I'd agree that this could be useful.
If this sounds like a good path, let me know. I'm not intimately familiar with the pipeline stages in HttpServerConnection so any tips on how to get the SSLSession from SslTlsSupport in to the resulting HttpReqeust, it would be appreciated.
You need to find the point in the SslTlsSupport state machine where the handshake is finished. Then you would add a new Event transporting the infomation and push that into the outgoing event pipeline with `eventPL(event)`. This means the event will end up in the `eventPipeline` handler of upper-layer pipeline stages. I guess what you need to do then is to buffer this event in one of the upper-layers until a request is read and then add the header to it.
Johannes
-----------------------------------------------
Johannes Rudolph
http://virtual-void.net
Michael Pilquist
Sep 3, 2013, 10:16:35 AM9/3/13
to spray...@googlegroups.com
Thanks -- I've just about finished an initial PR but I ran in to the case class 22 member limit when adding sslSessionInfoHeader to ServerSettings. Any preferences on how to address this?
--
You received this message because you are subscribed to the Google Groups "spray-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to spray-user+...@googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.
Johannes Rudolph
Sep 4, 2013, 4:46:08 AM9/4/13
to spray...@googlegroups.com
I'd vote for grouping all of the timeouts into an extra case class.
I added an ticket:
WDYT, Mathias?
Johannes
Mathias Doenitz
Sep 4, 2013, 9:13:32 AM9/4/13
to spray...@googlegroups.com
Yes, I guess grouping the timeouts would be the easiest fix.
In a later stage we could also fold all booleans in a bit mask and provide a custom constructor that still supports all "spelled out" settings.
Cheers,
Mathias
---
mat...@spray.io
http://spray.io
In a later stage we could also fold all booleans in a bit mask and provide a custom constructor that still supports all "spelled out" settings.
Cheers,
Mathias
---
mat...@spray.io
http://spray.io
Shrenik Dedhia
May 5, 2016, 8:32:21 PM5/5/16
to spray.io User List
Was this ever fixed in spray-can? I don't see any documentation around this anywhere in the Spray docs.
Reply all
Reply to author
Forward
0 new messages