The servlet specification (at least 2.2) requires the
javax.servlet.request.X509Certificate attribute (which contains the client certificates, if any) to be an array of java.security.cert.X509Certificate.
However, the AJP connector returns this chain of certificates as a string.
I'm attaching a patch which should correct this. There are a couple of exceptions that are badly handled in this patch, as I wasn't sure how to do it properly in the context of the rest of the code.
ClassCastException may happen during "certificates[i] = (X509Certificate)cert", but I think it's unlikely to happen since it uses an X.509 certificate factory.
I tried to use "new ByteArrayInputStream(sslCert.array())" instead of "new ByteArrayInputStream(sslCert.toString().getBytes())" when reading the certificate. However, this didn't work. (I must admit I haven't investigated this further, and I haven't read the documentation for Buffer.)
To get the chain from Apache Httpd (assuming that this is the front-end), certain options should be enabled such as "JkOptions +ForwardSSLCertChain" (there is more on this topic in the AJP documentation).
In Tomcat, I've only managed to get the client certificate and not the full chain. A quick glance at apache-tomcat-6.0.14-src/java/org/apache/coyote/ajp/AjpProcessor.java seems to indicate that only an array of size 1 is created, which would explain this behaviour. I'm not sure if everything regarding AJP and X509Certificates happens in this class in Tomcat.
This patch for Jetty should put the full chain, if it is available. However, for a reason unknown to me, the chain is only passed to sslCert when the SSL session is initiated (after inactivity, restarting httpd or closing the browser). Using a simple test servlet that dispays the array in attribute javax.servlet.request.X509Certificate, when I see a chain of two certificates and press reload (a second after), I only get to see the client certificate, but no others. This may be due to mod_jk as well.