X.509 Client Certificate Authentication

[hola_adios]

Hi all,

I am developing an application that implements client certificate authentication using spring security. I know that in order to enable this type of authentication and extract the username from the certificate this must be present in the spring configuration file:

Code:

<http>
...
<x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
...
</http>

The problem is that users must be able to authenticate using two different kinds of certificates, and the username is in a different field in both of them (the code below extracts the username from the field CN).

So the question is: Is there a way of doing this?

I've thought that maybe modifying in some way the regular expression would do it, but then I read here that the subject-principal-regex should contain a single group, so (although I am not entirely sure of what that exactly means) I think that this may not be the solution.

Any ideas?

Thanks

[Luke Taylor]

Use an explicit X509AuthenticationFilter instead of the namespace (inject it using the custom-filter element). You can inject a custom X509PrincipalExtractor into the filter which handles your two different certificate types.

You'll also need an AuthenticationEntryPoint (usually Http403ForbiddenEntryPoint) and a PreAuthenticatedAuthenticationProvider. These are the beans the x509 namespace element creates, as described in the namespace appendix.

[hola_adios]

Thank you Luke, it works fine now!

[chrissirwin]

I am trying to do this exact same thing and somehow I have lost my authentication providers. Would it be possible for you to post your application security context file so I can see how you wired in the providers.

Thanks,

Chris

[asha13]

Hi..I want to use X509 certificate on top of authentication and authority part using LDAP. LDAP part is done. Can you please let me know how to use X509 certificate on top of LDAP? how userdetail service i can make available for use of certificate.

Thank you for your help.