Spring Security 3.0 & X509

[wxkevin]

I am attempting to migrate an existing application using Acegi Security to Spring Security 3.0.5. I am attempting to use namespaces as much as possible.

Our app requires the use of an X509 certificate. Our local database is used to store roles and for authentication. We also have a legacy Authorization System that we must bounce against.

I have searched throughout this forum and Google to find a decent tutorial for my particular situation and have been unable to do so. I have read the User Guide but it seems to jump around and hence I have a hard time deciphering what I need to do.

Is there any links that can be provided to get me started migrating from Acegi to Spring Security 3.0?

[Luke Taylor]

Have you tried Peter's book? It probably covers most things you need to know about Spring Security 3.

I would take it in steps rather than doing everything at once. You can post any specific issues you have here. If you provide detailed information on your configuration and the problems you are having then someone should be able to respond.

[wxkevin]

I have access to Peter's book and it has helped in general. I still need a little push if somebody can provide.

In the older code we have the following filrerChainProxy:

1. httpIntegration
2. channelProcessingFilter
3. authenticationProcessingFilter
4. filterSecurityInterceptor

I am OK with #1, #2 and #4. #3 is the issue. I am not quite sure how this works. Here is an example of the bean definition in the old code:

Code:

<bean id="authenticationProcessingFilter"
         class="o.s.s.ui.x509.X509ProcessingFilter">
     <property name="authenticationManager" ref="authenticationManager" />
</bean>

<bean id="authenticationManager"
         class="o.s.s.providers.ProviderManager">
     <property name="providers">
         <list>
            <ref bean="authenticationProvider" />
         </list>
     </property>
</bean>

<bean id="authenticationProvider"
         class="o.s.s.providers.x509.X509AuthenticationProvider">
     <property name="x509AuthoritiesPopulator" ref="authoritiesPopulator" />
</bean>

<bean id="authoritiesPopulator"
         class="com.custom.package.UserX509AuthoritiesPopulator">
     <property name="userDetailsService" ref="userDetailsService" />
</bean>

The bean userDetailsService is a custom Class that implements a custom UserService interface. The UserService interface extends UserDetailsService.

So what classes do I now use since X509AuthenticationProvider is no longer around in Spring 3.0.5 and where do I put this in my security context file? Does it go in the same spot as the FilterChainProxy I noted above? I keep getting confused about "preauth". What exactly does this mean?

Any help would be greatly appreciated!

[Luke Taylor]

There is a chapter on preauth in the manual.

X.509 is now implemented using the preauthentication code, but the easiest way to use X.509 is using the namespace.

If using an explicit filter, you would use an X509AuthenticationFilter with a PreAuthenticatedAuthenticationProvider and most likely an Http403ForbiddenEntryPoint.

[wxkevin]

We are going to use explicit filters.

Does the location of the X509AuthenticationFilter in my filter chain proxy matter? Can it go in the same spot as our original authenticationProcessingFilter is does it need to be the first one called?