X.509 authentication - which UserDetailsService?

[stomij]

Hello everybody,

I want to setup a webapp with two alternative ways of authentication: X.509 and form-login.
Since I've never used Spring before, I faced the two tasks separately: first of all I implemented a simple webapp with only form-based login (against a database accessed through JDBC), and it works fine; but later, trying to do the same with only X.509 login, I really don't know how to configure it.

In the webapp with only form-login, security-applicationContext.xml has the following structure (I have removed many parts that where not relevant):

Code:

<security:global-method-security secured-annotations="enabled" />

    <security:http auto-config="true">

        <security:intercept-url ... />

        <security:form-login ... />
	
    </security:http>

    <security:authentication-provider>
        <security:jdbc-user-service data-source-ref="dataSource" />
    </security:authentication-provider>

When using X.509 authentication, I suppose security-applicationContext.xml should be something like that:

Code:

<security:global-method-security secured-annotations="enabled" />
	
<security:http auto-config="true">

	<security:x509 subject-principal-regex="CN=(.*?)," user-service-ref=" ??? "/>
		
</security:http>

Well, I really have no idea about what I shoul put in the user-service-ref attribute. In the reference guide I found:
This is the bean Id of the UserDetailsService to be used with X.509. It isn't needed if there is only one defined in your application context.
But I have no UserDetailsService beans defined in applicationContext.xml. So my first question is: what am I supposed to do to make X.509 authentication work?


Authentication is related to authorization, of course. In the form-login-based webapp, the mapping between users and permissions was performed by:

• intercept tags, with which I restrict access to some URLs to some roles;
• database tables USERS and AUTHORITIES, which map users to their roles.

Using X.509, I'm not referring anymore to the database, right? (I'm not sure about that). So where is located the mapping between users and roles?

Thanks in advance,

Emanuele

[Andrei Tsibets]

Your application context already contains UserDetailsService implementation:

<security:jdbc-user-service data-source-ref="dataSource" />

when jdbc-user-service is processed security namespace register JdbcDaoImpl which implements UserDetailsService.

This is the bean Id of the UserDetailsService to be used with X.509. It isn't needed if there is only one defined in your application context.

If you don't specify additional UserDetailsService then <security:jdbc-user-service will be used.

Processing X.509 will look like: from CN username will be gathered and then will be used to read UserDetails from database the same way as during form-login.

[stomij]

It works like a charm!
I really thank you, also for answering so fast!

Now I'll start thinking what is the most proper way to make both login and X.509 authentication available.

Kind regards,

Emanuele

[gram]

Hello.

I'm trying to do the same, did you succeed? How?

Thanks in advance.