How JBoss EAP 6 Recieves Client Certificate with CLIENT-CERT

When you configure you web application with client certificate authentication.

<login-config>
    <auth-method>CLIENT-CERT</auth-method>
</login-config>

The jbossweb/catalina valve is receiving the client certificate by:
org.apache.catalina.authenticator.SSLAuthenticator#authenticate(Request, HttpServletResponse, LoginConfig)

// Retrieve the certificate chain for this client
X509Certificate certs[] = request.getCertificateChain();
if ((certs == null) || (certs.length < 1)) {
    if (getContainer().getLogger().isDebugEnabled())
        getContainer().getLogger().debug("  No certificates included with this request");
    response.sendError(HttpServletResponse.SC_UNAUTHORIZED,
                       MESSAGES.missingRequestCertificate());
    return (false);
}

org.apache.catalina.connector.Request#getCertificateChain()

public X509Certificate[] getCertificateChain() {
    X509Certificate certs[] = (X509Certificate[]) getAttribute(Globals.CERTIFICATES_ATTR);

org.apache.catalina.CERTIFICATES_ATTR

/**
 * The request attribute under which we store the array of X509Certificate
 * objects representing the certificate chain presented by our client,
 * if any.
 */
public static final String CERTIFICATES_ATTR =
    "javax.servlet.request.X509Certificate";

Reference from JBoss EAP 6.4 and http://maven.repository.redhat.com/techpreview/all/org/jboss/web/jbossweb/7.5.7.Final-redhat-1/jbossweb-7.5.7.Final-redhat-1-sources.jar.