X509AuthenticationFilter

[spgmx]

Hi,

I'm using spring sec 3.0. When I set up a X509AuthenticationFilter via <sec:x509 user-service-ref="userDetailsService" subject-principal-regex="CN=(.*?)," /> and the X509PrincipalExtractor cannot extract the principal from the certificate an exception is thrown and the auth filter chains stops processing.

Shouldn't continueFilterChainOnUnsuccessfulAuthentication step in here and if set to true continue to process the chain?

How can I handle this situation?

Thank you

[pmularien]

Just curious, what exception is being thrown, from where? Looking at the code, it seems you're right, that if getPreAuthenticatedPrincipal throws an exception, it isn't handled by logic that incorporates continueFilterChainOnUnsuccessfulAuthentication.

I could see an argument that "continueFilterChainOnUnsuccessfulAuthenticati on" isn't technically applicable here, since that flag is supposed to check for failed authentication, not bad (invalid) credentials, but regardless, it seems like this should be behavior that you should be able to toggle. I'd suggest filing a JIRA with this suggestion.

In the meantime, you could implement your own subclass of X509AuthenticationFilter with logic to handle this situation and just configure it as a custom filter, replacing the standard X.509 filter.

[spgmx]

Just curious, what exception is being thrown, from where?

SubjectDnX509PrincipalExtractor throws exceptions if it cannot extract the username.

I think I will extend it and return null in this case. Bad idea?

[pmularien]

I think that should be sufficient - note that in that case (returning null), continuing on the filter chain is implied and not explicitly controlled by the boolean flag you mentioned (so don't be surprised if you later set it to false and it still continues).

[spgmx]

Hm, now I'm a little bit lost...
I have no clue how to set up a X509AuthenticationFilter...
The step where it breaks is when I try to setup the authenticationManager for this filter.