Jetty truststore authentication with SSL client-auth

Question

I'm trying to make a web-app with using client keys for client authentication. I think I've figured out the whole truststore problem so I can get the client actually authenticated. However I don't want to require client auth. I just want to test for it and enable features if it's enabled.

I can use .wantClientAuth which will request it, but allow connection if it doesn't exist. But I can't find any property to find out if the request has been authenticated.

This should exist, otherwise what is the purpose of wantClientAuth. How do I use it?

Answer 1

I don't have the setup running here, to test it right now, but shouldn't request.getUserPrincipal() and request.getAuthType() give you what you want.

See http://www.docjar.com/docs/api/javax/servlet/http/HttpServletRequest.html

(That assumes you have access to the servlet request in the context in which you're working)

Answer 2

If you're using the servlet API use Tim's method. Here are some other ideas depending your calling context..

After the handshake completes you could call getCertChain on the SSLSession. If it's null then the client didn't authenticate with a client cert.

See the customize method here:

http://www.javadocexamples.com/java_source/org/mortbay/jetty/security/SslSocketConnector.java.html

Alternatively you could call getLocalPrincipal or getLocalCertificates on the HttpsURLConnection. If they're null then there is no client cert.