I have to do (with Spring Security 3) a user authentication in my application with an x509 certificate contained in a USB device.
My constraints are:
- My Tomcat Application Server is behind a front-end Apache server. But there is no HTTPS / SSL neither on Tomcat, nor on Apache, because the 2 servers are behind an IPS (Intrusion Prevention System) which is in a DMZ, and HTTPS is enabled only in the area.
- Authentication and authorization must be made through an LDAP directory.
Since there is no HTTPS on Tomcat (and no HTTPS on Apache, so no possibility to forward SSL data), I guess what I need is not quite the X509 authentication provided by Spring Security, am I right?
I thought to authenticate checking the validity of the client's certificate by comparing it with the version stored in the ldap (or checking some data from the certificate against the directory), then check auhorizations in the ldap for the user whose certificate has been verified.
But I fail to do this: I have a config that works for authentication by login/password against a ldap, and I try to adapt this config (which is very simple).
Here is my config for Ldap authentication with login/password :
How can I switch from this config for an authentication with login/password against an ldap, to a config to authenticate the user against an LDAP using the information of his certificate ?
<sec:intercept-url pattern="/**" access="ROLE_ADMIN" />
Is there a standard mechanism, or do I have to develop my own objects (UsersDetails, LdapAuthoritiesPopulator, ...)
Thanx in advance