How to organize X509 authentication in web application with Java and Spring?

[Ronhul]

I have USB token with private key and X509 certificate on it. It can be seen from Firefox so it is OK. I have sample application from Spring Security (I'm using version 3), which just demonstrates different types of authentication. That app was deployed on JBoss AS 6. I've searched many forums and articles for info, how to use X509 cert instead of using login/pass auth (Example: x509 authentication with spring security 2.0.4). Everywhere i've seen: "Just add x509 tag in your applicationContext.xml", "Oh, thanks! It works!". There is x509 fragment in sample app from Spring Security in applicationContext.xml which was commented. I've uncommented that stuff, but nothing works. That app logs all actions, so I can see, that X509 filter is firing when I load an app page, but it does nothing, because (it writes in log): "No certificate found in user request". Then it redirects me on standart login/pass form.

Can you help me with that problem? Should Spring get CN from certificate from browser and use it instead of login name? What do I do wrong?

P.S. I have right user service block in applicationContext.xml. It works with standart login/pass form.

P.P.S. And sorry for my language - it isn't my native one.

[Luke Taylor]

I guess the obvious questions are:

1. Are you using HTTPS
2. Do you have your server configured to require client-certificate authentication.

Spring Security just attempts to extract the certificate from the standard attribute "javax.servlet.request.X509Certificate". If that isn't present (as indicated by the log message), then it is most likely a server configuration issue.

[Ronhul]

Yes, I'm using HTTPS.
No, I haven't configured JBoss.

Thanks a lot, I'll try.

[Ronhul]

So I've tried to configure JBoss. I've added clientAuth attribute with "want" value in SSL Connector block. So now, when I tried to load any app page, Mozilla ask me for User PIN of my USB token. But there is again "No certificate found in user request" in app log.
Is it again my bad?

[Luke Taylor]

Change it to "true" to require client authentication and make sure that works first before using "want". If the certificate isn't in the request, then there's nothing Spring Security can do about it. It has no control over SSL authentication.

[Ronhul]

Have changed.

JBoss sad SSL_ERROR_BAD_CERT_ALERT.

Does it mean, that token's certificate is untrusted on my server?
So should I start serching how to add it into trusted ones?

[Ronhul]

Update:
Have added token's certificate to server keystore, so now JBoss pass me to a page, but no authentication is happened!

In my applicationContext.xml I have

<x509 subject-principal-regex="CN=(.*?),"/>

<authentication-manager>
<authentication-provider>
<password-encoder hash="md5"/>
<user-service>
<user name="Ronhul Maggot" paassword="..." aithorities="ROLE_SUPERVISOR"/>
</user-service>
</authentication-provider>
</authentication-manager>

So my certificate has "CN=Ronhul Maggot"

Again "No client certificate found in request"

[Luke Taylor]

Unless the attribute I mentioned above is present in the request, it won't work. The rest of the configuration is irrelevant until you can call

Code:

request.getAttribute("javax.servlet.request.X509Certificate")

and get a non-null value.

[Ronhul]

I looked into source code of Spring Framework to find where is frase "No client certificate found in request". I've found this fragment:

Code:

private X509Certificate extractClientCertificate(HttpServletRequest request) {
        X509Certificate[] certs = (X509Certificate[]) request.getAttribute("javax.servlet.request.X509Certificate");

        if (certs != null && certs.length > 0) {
            if (logger.isDebugEnabled()) {
                logger.debug("X.509 client authentication certificate:" + certs[0]);
            }

            return certs[0];
        }

        if (logger.isDebugEnabled()) {
            logger.debug("No client certificate found in request.");
        }

        return null;
    }

So request.getAttribute("javax.servlet.request.X509Ce rtificate") is null.

What can I do to make it work? Why does Spring finds nothing?

[Luke Taylor]

From the Javadoc for ServletRequest.getAttribute():

The servlet container may set attributes to make available custom information about a request. For example, for requests made using HTTPS, the attribute javax.servlet.request.X509Certificate can be used to retrieve information on the certificate of the client.

If the attribute is null, it is an issue with your container setup.