Announcement Announcement Module
Collapse
No announcement yet.
X.509 authentication without SSL Page Title Module
Move Remove Collapse
This topic is closed
X
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • X.509 authentication without SSL

    Is it possible to use the x.509 features of Spring Security without SSL?
    For an example, the certificate is sent to the application somehow and there it is checked whether the certificate is valid or not, and after that the filters are applied?

    Thank you!

    Alexandre.

  • #2
    You can write custom filter similar to X509PreAuthenticatedProcessingFilter.
    X509PreAuthenticatedProcessingFilter has extractClientCertificate but it is private.

    Then register custom filter, PreAuthenticatedAuthenticationProvider, UserDetailsService, and PreAuthenticatedProcessingFilterEntryPoint.

    Comment


    • #3
      Thank you for your answer!

      I wonder if there is any way to ask the browser to send the certificate, just like any SSL client-auth connection, and use the the default X509PreAuthenticatedProcessingFilter.

      Has anyone ever tried something similar before?

      Regards,

      Alexandre.

      Comment


      • #4
        If you are just sending the certificate then there is no authentication involved. The certificate is a public artifact and anyone could potentially obtain or send it. It's the demonstration of the knowledge of the private key matching the certificate which constitutes the authentication So you need to use SSL (or some other approach which involves use of the private key).

        Comment


        • #5
          Sorry,the client would send also something digitally signed with the certificate, like a fixed phrase or something like that (maybe even a login).

          Comment

          Working...
          X