authenticate users based on client certificate in webservice handling
8
For the webservice interface we should authenticate users based on their client certificates used. When enabling certificates for incoming connections in the Mendix cloud this seems to be only on the infrastructure level. I want to use the same certificates to authenticate the user. Because I can't change anything to the default webservice request handling (?!) the idea is the following. Add own requesthandler, "ws2/" Own request handler should pull certificate from httpServletRequest and look up the user from the System.User table based on the public key Alter the soap message received on ws2, and add SOAP header with public key Call the Mendix webservice 4.b. Webservice authentication set to Custom, and look up the corresponding user from the public key. In short: building a proxy for the default webservice request handler Questions: - Is this the best solution? Regarding nr 4: how to call the Mendix webservice module without doing an actual HTTP request. One option I found is to instantiate the default WebserviceRequestHandler of Mendix. It also extends from RequestHandler and contains the processRequest method. However: it expects a LocalComponent and a WebserviceModule parameter, where do I get them? Or is there a function like Core.addRequestHandler to get the requesthandler, so I haven't to instantiate it? Than I can obtain the "ws/" handler. Option 2 is to do something like Core.callWebservice. This is dirty imo because this causes a unnecessary HTTP request. As an alternative to 3 and 4 it's also possible to create a user session based on the Public Key in the ws2 request handler. The question then is: is there an option to invoke the webservice request handler directly in the context of the created session. That would be the best: because then it wouldn't be necessary to alter the SOAP message with custom headers. Code for nr 2: public class WebserviceServlet extends RequestHandler { @Override public void processRequest(IMxRuntimeRequest request, IMxRuntimeResponse response, String arg2) throws Exception { IContext context = Core.createSystemContext(); X509Certificate cert = this.extractCertificate(request.getHttpServletRequest()); protected X509Certificate extractCertificate(HttpServletRequest req) { X509Certificate[] certs = (X509Certificate[]) req.getAttribute("javax.servlet.request.X509Certificate"); if (null != certs && certs.length > 0) { return certs[0]; } throw new RuntimeException("No X.509 client certificate found in request"); }