Jan 7th, 2009, 11:37 AM
X.509 authentication without SSL
Is it possible to use the x.509 features of Spring Security without SSL?
For an example, the certificate is sent to the application somehow and there it is checked whether the certificate is valid or not, and after that the filters are applied?
Jan 7th, 2009, 12:28 PM
You can write custom filter similar to X509PreAuthenticatedProcessingFilter.
X509PreAuthenticatedProcessingFilter has extractClientCertificate but it is private.
Then register custom filter, PreAuthenticatedAuthenticationProvider, UserDetailsService, and PreAuthenticatedProcessingFilterEntryPoint.
Jan 7th, 2009, 01:09 PM
Thank you for your answer!
I wonder if there is any way to ask the browser to send the certificate, just like any SSL client-auth connection, and use the the default X509PreAuthenticatedProcessingFilter.
Has anyone ever tried something similar before?
Jan 7th, 2009, 03:46 PM
If you are just sending the certificate then there is no authentication involved. The certificate is a public artifact and anyone could potentially obtain or send it. It's the demonstration of the knowledge of the private key matching the certificate which constitutes the authentication So you need to use SSL (or some other approach which involves use of the private key).
Jan 8th, 2009, 06:05 AM
Sorry,the client would send also something digitally signed with the certificate, like a fixed phrase or something like that (maybe even a login).
Tags for this Thread