Undertow contains a feature where by the Proxy server can handle SSL and pass the certificate chain to Undertow - this is then used for the actual client cert authentication.
We need to cover this type of scenario within our generic HTTP authentication framework.
We could further wrap the SSLSession in a similar way Undertow does - or we could make the chain availbale as a fall back.
Related to this we also need to work on the different attachment contexts, that may affect how we consider SSLSession attachments.