Akka HTTP

Version 10.6.2

requireClientCertificateIdentity

Signature

def requireClientCertificateIdentity(cnRegex: Regex): Directive0

Description

This directive allows for matching a regular expression against the identity of a client mTLS certificate.

Require the client to be authenticated, if not reject the request with a TlsClientUnverifiedRejectionTlsClientUnverifiedRejection, (can only happen with setWantClientAuth(true), if setNeedClientAuth(true) the connection is denied earlier), also require that one of the client certificate ip or dns SANs (Subject Alternative Name) or if non exists, the CN (Common Name) to match the given regular expression, if not the request is rejected with a TlsClientIdentityRejectionTlsClientIdentityRejection.

Note

Using this directive requires tls-session info parsing to be enabled: akka.http.server.parsing.tls-session-info-header = on and that the server ConnectionContext SSLEngine was set up with either setWantClientAuth(true) or setNeedClientAuth(true)

Example

Scala
sourcerequireClientCertificateIdentity(".*client1".r) {
  complete("OK")
}
Java
sourcefinal Route route = requireClientCertificateIdentity(".*client1", () ->
        complete("OK")
);
extractSslSession
Custom Directives
Found an error in this documentation? The source code for this page can be found here. Please feel free to edit and contribute a pull request.