SSL Client Certificates from Tomcat - Availibility in any scope?

[Fritz]

Hi,

I'm new to this group, as I just stumbled over Lucee at all.

I'm a 10+ year experienced CFML developer and my recents project were done on Railo. I'm just about migrating to Lucee as well.

My question is the following:

We're running a site where only clients with server-signed client certificated are allowed.

This is done on Tomcat application server with settings like clientAuth="true", keystoreFile is set as well as truststoreFile.

Everything works as expected, only clients with the trusted certificates are allowed.

My question is now: 

Can I access any data from the certificate from CFML?

I tried the CGI scope because I've seen a note on Adobe's docs (http://help.adobe.com/en_US/ColdFusion/9.0/CFMLRef/WSc3ff6d0ea77859461172e0811cbec22c24-7785.html) that there's a CGI.CERT_SUBJECT but only for IIS 4.0 or Netscape Enterprise (which seems quite outdated btw).

But I tried at least in railo and the variables were there but not populated.

Any idea how this could be accomplished?

Thank you very much,

best regards

Fritz

[Bilal]

I believe you will have to dig into Java to do this.
If everything is correctly processed your x509 info should be in the attributes scope of your request. Thus the Java request access methods such as

request.getAttribute() function call should return it.

Best,
Bilal

[Fritz]

Hi,

thanks for your hint.

I've found a few bits on the web regarding this.

All I've found is to use this:

<cfset x509 = GetPageContext().getRequest().getAttribute("javax.servlet.request.X509Certificate") />

But after this, variable x509 is empty / null.

So I think, Tomcat might not completely forward the information to the CFML engine?

Any other hints?

Thanks

Fritz