I've implemented a REST API in Spring-Boot running on a Tomcat server, this REST API calls another Spring REST API running on a different Tomcat server. Both web applications require client certificates for authentication. How do I pass the client certificate information from app1 to app2 when making a REST call? Currently the REST call on app1 looks like this:
@RequestMapping("/logintest")
@ResponseBody
ResponseEntity<String> logintest(HttpServletRequest request) {
// Let's try and login.
HttpUriRequest loginRequest = new HttpGet("http://localhost:8080/app2/login/")
request.setAttribute(X509_CERT_ATTRIBUTE,
request.getAttribute("javax.servlet.request.X509Certificate"))
HttpClient httpClient = new DefaultHttpClient()
HttpResponse response = httpClient.execute(cdpeRequest)
}
However, this doesn't seem to pass the certificate information to app2. When app2 attempts to parse the certificate information for authentication it gets back a null.
App2 is doing the following to extract the client certificate from the request:
X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");
To answer my own question. Since both applications were spring applications using the JSESSIONID cookie for establishing SecurityContext after a login, I was able to simply pass the JSESSIONID cookie from App2 to App1 (the login app) in order to make REST calls.