Guide for usage of digital certificates in Preauth provider

**ashimono** · Jan 5th, 2009, 07:53 AM

Greetings,

I'd like to ask for any sort of tutorial or guide that explains in detail the use of Digital Certificates (X509) with the preauth provider, from the client side. I noticed that the X509 provider is deprecated, and it is suggested to use the preauth instead, however I could not find any references on google about this topic.

Basically, I am developing a Proof-of-concept application that mixes Spring and Struts2, amongst others, and testing how to receive a digital certificate from the user trough a FORM, and use the preauth (or any other spring provider that can deal with digital certificates) to take care of security aspects.

Have anyone here ever used this kind of authentication for the client side?

Thanks in advance,

Alexandre.

**dkichline** · Jul 15th, 2009, 10:26 PM

I would like to second the request for any tutorials on the use of x.509 certificates and Spring Security. There is mention in the documentation about what is available, but does not go in great detail on how to use it.

**Luke Taylor** · Jul 16th, 2009, 06:53 AM

Have you read the chapter in the reference manual?

If so, please explain which part you don't understand. Not that it is assumed that you know how to set up SSL client-authentication for your container and that you are already familiar with Spring Security basics.

**dkichline** · Jul 16th, 2009, 07:48 AM

I have read the chapter in the reference manual. I have even scoured google for any examples of how to work with x.509 certs from a client and server perspective with no luck.

Here is what I am attempting to do. I have a bean that I am exporting with HTTP Invoker. I have setup SSL on our tomcat instance successfully and the client can connect to it without any issues. I then add access roles to the method, along with x509 element inside the http element. The client now receives an Access Denied error, which I would expect since I am not sending the certificate from the client yet.

So where my confusion lies is this. The client I spoke of is a stand-alone, springified java application. How does one send an x509 certificate up to the server? Second, how does the server authenticate the certificate? In other words, I have a key store that I placed the root and intermediate certificate from the CA in. What part of the process looks at them and how do I set that up? Is this within spring, or does tomcat authenticate the x509 certificate prior to the Spring framework receiving the certificate?

**Luke Taylor** · Jul 16th, 2009, 08:45 AM

As it says in the guide "you should be familiar with using certificates and setting up client authentication for your servlet container before attempting to use it with Spring Security. Most of the work is in creating and installing suitable certificates and keys... It's important that you get this working before trying it out with Spring Security".

You need to understand how SSL client authentication works and how to configure it start with. That is something between your client and the server. We provide a link to the tomcat documentation, but configuring SSL isn't within the scope of Spring Security. You are probably best to get it working with a browser installed client certificate before trying something like commons Http Client. Once you have mutual SSL authentication working then adding Spring Security's X.509 support is relatively simple.

**dkichline** · Jul 16th, 2009, 12:53 PM

This is what I keep reading from just about anyone that responds to this question. What I am missing is why is it so easy to configure for web services. They have examples of how to hook into a keystore. We have working production web services utilizing x.509 certificates to authenticate the web service client.

Why does this so "complicated" to get it to work with Spring Security?

I have SSL setup on tomcat successfully. I have a client that can connect to the remoting service successfully over https. What I can not seem to get to work is the authentication and authorization.

We have a certificate generated by a CA, we created the keystore. We just simply want a stand-alone java program to connect to the remoting service. No where can I find an example program that shows the Spring code (not the server setup) required to accomplish this. I have everything but the Spring part ready to go.

**Luke Taylor** · Jul 16th, 2009, 04:25 PM

The Spring Security part isn't complicated. All it does is extract the username from the client certificate (which it reads using the servlet API) and uses that to load a set of roles for the user and populate the security context. Thereafter it behaves the same as any other authentication mechanism within the framework. The actual authentication is part of the SSL handshake and is performed by the server you are running in, so configuring it isn't a Spring Security issue. It depends on the server you are using.

**erjablow** · Aug 10th, 2009, 10:25 AM

Here is a specific question; the LdapUserDetailsManager Javadoc includes at its beginning:

It is designed around a standard setup where users and groups/roles are stored under separate contexts, defined by the "userDnBase" and "groupSearchBase" properties respectively.

The class itself has a public void setGroupSearchBase(String) method, but it does not have a public void setUserDnBase(String) method. So, what object do I configure a userDnBase property upon? Do I create a DefaultLdapUsernameToDnMapper and configure the property upon that?

We already have x.509 authentication set up on an earlier Struts project, so that isn't the issue.

**erjablow** · Aug 11th, 2009, 01:40 PM

I'm trying to figure out what a minimal x.509/LDAP configuration should be. What configuration must I write? What classes must I write or adapt? We already use client certificates in other applications.

**honeybunny** · Aug 11th, 2009, 03:52 PM

This code is some old pre spring security code:

Code:

public class MyX509Provider extends X509PreAuthenticatedProcessingFilter
{
    public Authentication authenticate(Authentication authentication)
    throws AuthenticationException 
    {
        X509Certificate clientCertificate = 
             (X509Certificate)authentication.getCredentials();
        String subjectDN = clientCertificate.getSubjectDN().getName();

        String certCommonName = "";
        StringTokenizer tokens = new StringTokenizer(subjectDN,",");
        while (tokens.hasMoreTokens()){
        	String nextValue=tokens.nextToken();        	
        	if (StringUtils.trimLeadingWhitespace(
                     nextValue).startsWith("CN=")){
        		certCommonName = StringUtils.trimTrailingWhitespace(
                        StringUtils.trimLeadingWhitespace(
                                 nextValue).substring(3));
        		break;
        	}			
	}

        UserDetails details = lookupUserDetailsFromDB(certCommonName);
        grantedAuth = details.getAuthorities();
        return  new X509AuthenticationToken(
                details, clientCertificate, grantedAuth);
    }

}

The equivalant for spring security would be:

Code:

   	<bean id="x509ProcessingFilter" class="org.springframework.security.ui.preauth.x509.X509PreAuthenticatedProcessingFilter">
   		<property name="authenticationManager" ref="authenticationManager" />
   		<property name="principalExtractor">
   			<bean name="x509SubjectDNExtractor" class="org.springframework.security.ui.preauth.x509.SubjectDnX509PrincipalExtractor">
   				<!-- the spring default doesnt work if  CN is the last attribute
   				     there must be ONLY one capture group -->
   				<property name="subjectDnRegex" value="CN=(.*?)(?:,|$)" />
   			</bean>
   		</property>
   		
   	</bean>

Thread: Guide for usage of digital certificates in Preauth provider

Thread Tools

Display

Guide for usage of digital certificates in Preauth provider

LdapUserDetailsManager Javadoc problem

Minimal x.509 configuration

Tags for this Thread

Posting Permissions