Spring-Security with X509?

Question

I am new to spring-security in general and am a bit confused.

The project I am trying to integrate this with uses X509 certificates to identify users for signing in to the application. There are no usernames or passwords. We validate the certificates are good, and that they have been given access to our app.

The question is how do I integrate spring in to this to get their roles using the X509 certificates?

I have seen this:

<http>
 ...
    <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
 ...
</http>

But I don't understand how this works. Will it still require something for a password? Or is the subject all it needs?

Answer 1

But I don't understand how this works. Will it still require something for a password? Or is the subject all it needs?

I think that that is all it needs. I believe that the model is that the TLS protocol determines that the user / client "owns" the certificate using public key encryption techniques that boil down to the user / client knowing the private key for the certificate. It is assumed that only the user will know his own private key, and therefore that who / whatever can prove knowledge of the key is the user.

Answer 2

At least for a browser accessing your service the user will be prompted for the password that was used when creating the X509 certificate. You can create certs without passwords, but that's not as secure.

The browser and your servlet container will handle the SSL handshake after the user enters the password and then if all is well you can then use your UserDetailsService implementation to populate the Principle with any Roles that user has.