How to enable certificate forwarding in WildFly

In this tutorial we will learn how to do client certificate authentications when WildFly is located behind a reverse proxy.

The most common use cases for reverse proxies are:

  • When the reverse proxy is located on a DMZ
  • When youe Web applications are located on a VLAN (e.g. private network).
  • When the reverse proxy reads the initial request, then it initiates a new (even if similar) request to the internal Web applications.

The problem is that, by definition, an HTTPS request’s content cannot be spied. This is why when putting a reverse proxy behind the client and the Web application, the HTTPS stream will be broken and we will loose all the client certificate data contained in the X509 client certificate .

Let’s see how to safely forward the client certificate data to the web application running on WildFly. Let’s start from the front-end, where we will set the SSL information headers:

 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
 RequestHeader set SSL_CIPHER "%{SSL_CIPHER}s"
 RequestHeader set SSL_SESSION_ID "%{SSL_SESSION_ID}s"
 RequestHeader set SSL_CIPHER_USEKEYSIZE "%{SSL_CIPHER_USEKEYSIZE}s"

Then, on WildFly, enable the certificate-forwarding=”true” attribute on the Undertow server:

/subsystem=undertow/server=default-server/http-listener=default:write-attribute(name=certificate-forwarding,value=true)

This will result in the following configuration:

 <subsystem xmlns="urn:jboss:domain:undertow:10.0" default-server="default-server" default-virtual-host="default-host" default-servlet-container="default" default-security-domain="other" statistics-enabled="${wildfly.undertow.statistics-enabled:${wildfly.statistics-enabled:false}}">
   <buffer-cache name="default"/>
   <server name="default-server">
      <http-listener name="default" socket-binding="http" redirect-socket="https" certificate-forwarding="true"/>
Found the article helpful? if so please follow us on Socials