tomcat reverse-proxy mutual-authentication embedded-tomcat

Mutual TLS with embedded Tomcat and Common Name (CN)

We run a REST service using embedded Tomcat. Our app requires Mutual TLS to authenticate and authorizes by extracts the CN from the client certificate and verifies the permissions in a set of authorized users.

This works fine with a reverse proxy, like Nginx using a config which extracts the CN and passes it in the HTTP header:

proxy_set_header X-SSL-Client-CN $ssl_client_s_dn_cn;

Instead, is it possible in embedded Tomcat to extract the CN instead of using a reverse proxy?

Solution

..and as a Tomcat committer I'd say, RTFM. The SSLValve will read the Base 64 PEM public cert of your client, inject the X509Certificate and then your Realm can provide a X509UsernameRetriever to read out what you need.

How to get the popup menu to select user certificate in Tomcat 10 server?
Why my tomcat do not open when i run spring boot project?
class loading in tomcat on demand when 2 versions of a lib are present?
NoClassDefFoundError when running app with external lib with Tomcat
Unable to start spring boot war file from tomcat container
Spring boot embedded tomcat application session does not invalidate
ClassNotFoundException: org.apache.logging.log4j.Logger with Tomcat10 and Jakarta
What is the standard/modern way to use CAC/PIV card authentication in Java/Tomcat web applications?
Disadvantages of setting Tomcat's RECYCLE_FACADES = true?
incompatible version [1.1.34] of the APR based Apache Tomcat Native library
An established connection was aborted by the software in your host machine tomcat jackson
Tomcat localhost_access_log files cleanup
After Update to 7.84.14, Artifactory returns 400 on download artifact, which is not on the outer most level of the repo
Instantiation of bean failed; nested exception is java.lang.NoClassDefFoundError: org/springframework/core/io/Resource - using spring-core.4_2_5
How to use Bean Validation 2.0 (JSR 380) features in Tomcat 8?
IntelliJ IDE | .iml File lost or deleted
Transactions executed in Spring using external Tomcat twice faster than Spring embeded Tomcat
Spring WebClient Request Delay due to Inactive Connection
Why couldn't I add mod_proxy.c in Apache?
Using Docker to launch web app, can't connect to Postgresql DB?
index.jsp not found (cannot be loaded)
Can't use external css styling with jsp
java.lang.NoClassDefFoundError: javax/el/ELManager
Tomcat: One or more listeners failed to start
Spring-boot inner jar files loading order? (embedded tomcat)
How to clear catalina.out without disabling further logging?
java.lang.NoSuchMethodError for Ognl.createDefaultContext() in Struts 6.4.0
watchservice listener not working on tomcat
Tomcat JPMS error jakarta.security.auth.message
Websocket returns 200 instead of 101 by Apache Server