Enabling X.509 client authentication is very straightforward. Just add the <x509/>
element to your http security namespace configuration.
<http> ... <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/> ... </http>
The element has two optional attributes:
subject-principal-regex
. The regular expression used to
extract a username from the certificate's subject name. The default value is
shown above. This is the username which will be passed to the UserDetailsService
to load the authorities for the
user.
user-service-ref
. This is the bean Id of the
UserDetailsService
to be used with X.509.
It isn't needed if there is only one defined in your application
context.
The subject-principal-regex
should contain a single
group. For example the default expression "CN=(.*?)," matches the common name field. So
if the subject name in the certificate is "CN=Jimi Hendrix, OU=...", this will give a
user name of "Jimi Hendrix". The matches are case insensitive. So "emailAddress=(.?),"
will match "EMAILADDRESS=jimi@hendrix.org,CN=..." giving a user name "jimi@hendrix.org".
If the client presents a certificate and a valid username is successfully extracted,
then there should be a valid Authentication
object in the
security context. If no certificate is found, or no corresponding user could be found
then the security context will remain empty. This means that you can easily use X.509
authentication with other options such as a form-based login.