Announcement Announcement Module
No announcement yet.
Certificate Based client authentication in Spring security Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Based client authentication in Spring security

    Hello Everyone,

    I am using Spring Security to authenticate an application.

    I have a specific WebService(not Spring WS) hosted inside the application.

    I want to authenticate only the WebService(with a specific URL) using SSL client certificates and not the entire application. My configuration for the WS URL in spring-security.xml is like :

    <security:intercept-url pattern="/SchedulerWebService"
    access="hasRole('P_VIEW_APP')" />

    <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="UserService"/>

    The subject-principle-regex fetches the Comon Name from the entire DN.This part is working fine for me.

    And my tomcat-server.xml congfig for SSL is :

    <Connector acceptCount="100" connectionTimeout="20000" executor="tomcatThreadPool" maxKeepAliveRequests="15" port="${bio.http.port}" protocol="HTTP/1.1" SSLEnabled="true" keystoreFile="App-64.keystore.jks" keystorePass="changeit" scheme="https" secure="true" clientAuth="true" truststoreFile="app-client-64.truststore.jks" truststorePass="changeit" />

    To make client certificate work ,the clientAuth="true" is required.Problem is I want only /SchedulerWebService URL to be protected using mutual SSL and not the entire application,but clientAuth="true" expects client certificates for entire application.

    Any Idea how to resolve this.

    Last edited by life1style1; Apr 13th, 2012, 09:33 AM. Reason: some error

  • #2
    Any help would be greately appreciated.



    • #3
      Perhaps consider Bean Configuration

      Without knowing your environment or requirements, it sounds like you may want to change you tomcat configuration to change clientAuth="want" and switch to bean configuration. The clientAuth="want" tells Tomcat to request that the Browser provide a User certificate if one is available.

      Here is a good article from one of the Spring principals regarding Bean Configuration:

      Then you can segment different filterChains for different urls/clients.

      Hope this helps!