Announcement Announcement Module
Collapse
No announcement yet.
Certificate Based client authentication in Spring security Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Certificate Based client authentication in Spring security

    Hello Everyone,


    I am using Spring Security to authenticate an application.

    I have a specific WebService(not Spring WS) hosted inside the application.

    I want to authenticate only the WebService(with a specific URL) using SSL client certificates and not the entire application. My configuration for the WS URL in spring-security.xml is like :

    <security:intercept-url pattern="/SchedulerWebService"
    access="hasRole('P_VIEW_APP')" />

    <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="UserService"/>



    The subject-principle-regex fetches the Comon Name from the entire DN.This part is working fine for me.


    And my tomcat-server.xml congfig for SSL is :


    <Connector acceptCount="100" connectionTimeout="20000" executor="tomcatThreadPool" maxKeepAliveRequests="15" port="${bio.http.port}" protocol="HTTP/1.1" SSLEnabled="true" keystoreFile="App-64.keystore.jks" keystorePass="changeit" scheme="https" secure="true" clientAuth="true" truststoreFile="app-client-64.truststore.jks" truststorePass="changeit" />


    To make client certificate work ,the clientAuth="true" is required.Problem is I want only /SchedulerWebService URL to be protected using mutual SSL and not the entire application,but clientAuth="true" expects client certificates for entire application.

    Any Idea how to resolve this.


    Regards,
    Souvik
    Last edited by life1style1; Apr 13th, 2012, 09:33 AM. Reason: some error

  • #2
    Any help would be greately appreciated.

    -Souvik

    Comment


    • #3
      Perhaps consider Bean Configuration

      Without knowing your environment or requirements, it sounds like you may want to change you tomcat configuration to change clientAuth="want" and switch to bean configuration. The clientAuth="want" tells Tomcat to request that the Browser provide a User certificate if one is available.

      Here is a good article from one of the Spring principals regarding Bean Configuration:
      http://blog.springsource.com/2010/03...ity-namespace/

      Then you can segment different filterChains for different urls/clients.

      Hope this helps!
      Marc

      Comment

      Working...
      X