Announcement Announcement Module
No announcement yet.
Spring Security + X.509 + Tomcat 6 + metro 2.1.1 Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Spring Security + X.509 + Tomcat 6 + metro 2.1.1


    I had a chance to revisit the issues with X.509 authentication on Tomcat on Metro2.1.1 and got it all working. My issue before was that some of the books in security are a bit vague.

    1. I checkout URL:

    2. Copied and modified spring-security-3.0.0.RELEASE/samples//tutorial/src/main/webapp/WEB-INF/applicationContext-security.xml as I am using the standard JDBC spring implementation tables:

       <jdbc-user-service data-source-ref="JNDIDataSource"/>
    3. Tomcat's server.xml is setup with :

     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
                   keystoreFile="/var/pscs/data/certs/server/<HOSTNAME>.keystore" keystorePass="<PASSWORD>"
                   truststoreFile="/var/pscs/data/certs/server/<HOSTNAME>.truststore" truststorePass="<PASSWORD>"
                   maxThreads="150" scheme="https" secure="true"
                   clientAuth="true" sslProtocol="TLS" />
    Note : clientAuth="true"

    4. Did the normal exchange of certificates between host and client, added client certificates into servers trust store.

    Note : Subject: CN=pgilliga, OU=operations, L=London, ST=GreaterLondon,, C=GB, [email protected]
    5. adding the username pgilliga into the databases users table authenticates:

    DEBUG [X509AuthenticationFilter] Authentication success:[email protected]: Principal: [email protected]: Username: pgilliga; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true; credentialsNonExpired: true; AccountNonLocked: true; Granted Authorities: ROLE_ADMIN,ROLE_APPR,ROLE_INT,ROLE_IOP,ROLE_KOP,ROLE_USER; Credentials: [PROTECTED]; Authenticated: true; Details:[email protected]: RemoteIpAddress:; SessionId: B0E8573D8F4730251C7DDB3F81A678F3; Granted Authorities: ROLE_ADMIN, ROLE_APPR, ROLE_INT, ROLE_IOP, ROLE_KOP, ROLE_USER

    6. Testing

    As it was rest I tested from a browser on my MAC. Setup my certificate in my keychain access and added the cert from the host.

    Then set both to trusted.

    Interestingly both Chrome and Firefox would not do the CA auth ok ut safari did.
    Last edited by pauldavidgilligan; Oct 29th, 2011, 03:59 PM.