I don't need to do any validation over users, etc. I only need that the client send the certificate and the server (me in this case) validate the certificate through truststore or something (apply mTLS in other words).
I have one endpoint, lets say "/authentication", that need to be mTLS, the other ones only need server auth (TLS).
This is a possible solution, I haven't tried it yet, but I think there's a even easier approach
How to guard some endpoints with mTLs and some with JWT
For more context if helps, its for 3DS EMVCO
UPDATED STATUS: made a filter which validates if the request contains at least one certificate. Combine the filter with ssl.client-auth WANT for a specific route. (With WANT the certificate will be validated throught truststore)
This is the filter if someone asks:
@Suppress("UNCHECKED_CAST")
override fun doFilterInternal(
request: HttpServletRequest,
response: HttpServletResponse,
filterChain: FilterChain
) {
try {
if (isMutualTLSEnabled()) {
val certificates: Array<X509Certificate>? = request
.getAttribute("jakarta.servlet.request.X509Certificate") as Array<X509Certificate>?
if (certificates.isNullOrEmpty()) {
throw CertificateException()
}
}
filterChain.doFilter(request, response)
} catch (e: CertificateException) {
resolver?.resolveException(request, response, null, e)
}
}
If you find some solution like this: Implement both mTLS (two way SSL ) and public endpoints (no SSL check) Is NOT what i need, this solution is for authenticated users, i will not perform any authentication over USERS