Skip to main content
Skip table of contents

SignServer Authentication and Authorization

In SignServer, client authentication/authorization can be configured per worker and occurs in different components as the request comes in.

Reverse HTTP proxy

Optionally, before SignServer and the application server, a reverse proxy could be put in place for instance to perform the authentication.

The reverse proxy, such as Apache HTTP Server or Nginx, can be configured to perform the authentication and pass along the already authenticated information to the application server using for instance an AJP Connector. For information on how to configure a reverse proxy, see SignServer Integration.

Servlet Container

Provided by application server, the servlet container (web server) first receives the HTTP request.

The Servlet container provides the remote IP address and all the HTTP headers sent by the client (and/or) to any proxy in front of it.

If configured, the Servlet container may require TLS client certificate authentication. In this case, the Servlet container is performing the TLS authentication and then provides the authenticated certificate.

SignServer Servlet

The Servlet in SignServer receives the request and gathers all relevant information to pass along to the next component called "Process Session".

SignServer Process Session

Before processing the request, it invokes the Authorizer that has been configured for the requested worker. If the Authorizer allows the request it is further processed, otherwise the processing stops.

Authorizer Implementation

The configured Authorizer implementation decides if the request should be allowed or not given the provided information. The Authorizer could also consult its configuration and possibly external systems as well.

Examples of Authorizers:

ClientCertAuthorizer

Checks that the certificate serial number and issuer DN from the provided client certificate is available in this workers whitelist.

ListBasedAddressAuthorizer

Uses white or blacklists for the remote (IP) addresses to authorize.

UsernameAuthorizer

Same as the previous but this one could be used in a set up where the user is already authorized by the reversed proxy. The provided user name is simply accepted and used further on.
The reversed proxy could use modules for Active Directory / LDAP authentication or anything else that in the end provides a user name to be passed on to SignServer.

UsernamePasswordAuthorizer

Checks that the username/password provided in the HTTP Basic Authentication HTTP header matches one of those configured for this worker.

All available Authorizers are listed on the Authorizers page.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close