activemq-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From steveg103 <>
Subject Stomp WebSockets and client certificates
Date Tue, 06 Oct 2015 17:16:39 GMT

I am working with ActiveMQ 5.11 and have a question about client
certificates when WebSockets are in use.  I'm specifically using the wss://

My goal is to achieve client-certificate (mutual) authentication over each
of the ssl://, amqp+ssl://, and wss:// transports.  I've been able to do
this in the latter two cases by using wantClientAuth on the transport config
and providing a BrokerPlugin and BrokerFilter that override the
addConnection(ConnectionContext, ConnectionInfo) methods and retrieve the
credentials int hat method.  Peer certificates in these cases are retrieved
via casting ConnectionInfo's getTransportContext() into an array of
X509Certificate objects, representing the peer cert chain.

In the websocket case, however, getTransportContext() does not return the
peer certs, and my custom login module fails to see credentials to
authenticate the user.

Is it possible to retrieve the peer certificate chain in this case?  Since
the websocket's handshake and subsequent upgrade request are indirect
compared to the other two transports, I'm guessing that the peer certs are
exchanged during TLS handshake and are lost when the session upgrade occurs,
looking at classes like WSServlet (which passes nothing from the
HttpServletRequest to the StompSocket it creates), and that further, because
the upgrade occurs, there is no real tracking of the initial connection that
exchanged the certs in the first place, making it impossible to dig them out
via some other mechanism.  Is that accurate?


View this message in context:
Sent from the ActiveMQ - User mailing list archive at

View raw message