I had a chance to revisit the issues with X.509 authentication on Tomcat on Metro2.1.1 and got it all working. My issue before was that some of the books in security are a bit vague.
1. I checkout URL: https://src.springframework.org/svn/...-security/tags
2. Copied and modified spring-security-3.0.0.RELEASE/samples//tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml as I am using the standard JDBC spring implementation tables:
3. Tomcat's server.xml is setup with :
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS" />
4. Did the normal exchange of certificates between host and client, added client certificates into servers trust store.
5. adding the username pgilliga into the databases users table authenticates:
Note : Subject: CN=pgilliga
, OU=operations, L=London, ST=GreaterLondon, O=xxxx.co.uk, C=GB, EMAILADDRESSfirstname.lastname@example.org
DEBUG [X509AuthenticationFilter] Authentication success: org.springframework.security.web.authentication.preauth.PreAuthenticatedAuthenticationToken@2a0f7ec4: Principal: org.springframework.security.core.userdetails.User@7476eb71: Username: pgilliga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_APPR,ROLE_INT,ROLE_IOP,ROLE_KOP,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails@2cd90: RemoteIpAddress: 22.214.171.124; SessionId: B0E8573D8F4730251C7DDB3F81A678F3; Granted Authorities: ROLE_ADMIN, ROLE_APPR, ROLE_INT, ROLE_IOP, ROLE_KOP, ROLE_USER
As it was rest I tested from a browser on my MAC. Setup my certificate in my keychain access and added the cert from the host.
Then set both to trusted.
Interestingly both Chrome and Firefox would not do the CA auth ok ut safari did.