In SignServer client authentication/authorization can be configured per-worker and happens in different components as the request comes in:
Reverse HTTP proxy
Optionally before SignServer and the application server a reverse proxy could be put in place for instance to perform the authentication.
The reverse proxy (i.e. Apache HTTP Server or Nginx) can be configured to perform the authentication and pass along the already authenticated information to the application server using for instance an AJP Connector.
See the Integration chapter for how to configure a reverse proxy.
Provided the by application server is the servlet container (web server) that first receives the HTTP request.
The Servlet container provides the remote IP address and all the HTTP headers sent by the client (and/or) any proxy in front of it.
If configured the Servlet container may require TLS client certificate authentication and is in that case performing the TLS authentication and then provides the authenticated certificate.
The Servlet in SignServer receives the request and gathers all relevant information to pass along to the next component called "Process Session".
SignServer Process Session
Before processing the request it invokes the Authorizer that has been configured for the requested worker. If the Authorizer allows the request it is further processed otherwise the processing stops.
The configured Authorizer implementation decides if the request should be allowed or not given the provided information. The Authorizer could also consult its configuration and possibly external systems as well.
Examples of Authorizers:
Uses white or blacklists for the remote (IP) addresses to authorize.
Checks that the certificate serial number and issuer DN from the provided client certificate is available in this workers whitelist.
Checks that the username/password provided in the HTTP Basic Authentication HTTP header matches one of those configured for this worker.
Same as the previous but this one could be used in a set up where the user is already authorized by the reversed proxy. The provided user name is simply accepted and used further on.
The reversed proxy could use modules for Active Directory / LDAP authentication or anything else that in the end provides a user name to be passed on to SignServer.
All available Authorizers are listed on the Authorizers page.