Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Spring-Security with X509?

I am new to spring-security in general and am a bit confused.

The project I am trying to integrate this with uses X509 certificates to identify users for signing in to the application. There are no usernames or passwords. We validate the certificates are good, and that they have been given access to our app.

The question is how do I integrate spring in to this to get their roles using the X509 certificates?

I have seen this:

<http>
 ...
    <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
 ...
</http>

But I don't understand how this works. Will it still require something for a password? Or is the subject all it needs?

like image 419
Jacob Schoen Avatar asked Nov 05 '22 12:11

Jacob Schoen


2 Answers

But I don't understand how this works. Will it still require something for a password? Or is the subject all it needs?

I think that that is all it needs. I believe that the model is that the TLS protocol determines that the user / client "owns" the certificate using public key encryption techniques that boil down to the user / client knowing the private key for the certificate. It is assumed that only the user will know his own private key, and therefore that who / whatever can prove knowledge of the key is the user.

like image 138
Stephen C Avatar answered Nov 12 '22 19:11

Stephen C


At least for a browser accessing your service the user will be prompted for the password that was used when creating the X509 certificate. You can create certs without passwords, but that's not as secure.

The browser and your servlet container will handle the SSL handshake after the user enters the password and then if all is well you can then use your UserDetailsService implementation to populate the Principle with any Roles that user has.

like image 21
Gandalf Avatar answered Nov 12 '22 18:11

Gandalf