X.509 : Server not able to extract user information from client certificate

Question

I have jetty working with SSL set up, client and server certificates (X.509) provided as required according to Spring Security and upto this it all seems working fine and verified by logs.

Now! The problem is when I access a secure page, client(Chrome) is sending a certificate and server is receiving it successfully but after that it is returning me an empty user. Does any body have any idea what is happening here?

I am providing some information about what I am trying here :

Environment

Windows/Jetty (version: 8.1.11.v20130520)/Spring Security (3.2.0)

Connector in jetty (version: 8.1.11.v20130520)

<connector implementation="org.eclipse.jetty.server.ssl.SslSocketConnector">
    <port>9443</port>
    <keystore>src/test/resources/server.jks</keystore>
    <needClientAuth>true</needClientAuth>
    <keyPassword>password</keyPassword>
    <password>password</password>
</connector>

Security Configuration file

<sec:x509 subject-principal-regex="CN=(.*?)" 
          user-service-ref="myUserDetailsService" />

Log extract

09:42:24:214 DEBUG org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor (SubjectDnX509PrincipalExtractor.java:43) - Subject DN is 'CN=rod, OU=Spring Security, O=Spring Framework' 09:42:24:218 DEBUG org.springframework.security.web.authentication.preauth.x509.SubjectDnX509PrincipalExtractor (SubjectDnX509PrincipalExtractor.java:58) - Extracted Principal name is ''

Answer 1

The subject-principal-regex you use is wrong. If you want the extracted principal to be rod for the DN in the log message, set the pattern to CN=(.*?), (note the comma at the end). Btw, I think it is the default pattern, so you might as well just skip this setting.

Answer 2

Element <security:x509 /> is used to enable X.509 authentication in spring security.

Attribute subject-principal-regex of element <security:x509 /> is used to provide a regular expression to extract user name out of client certificate.

Regular expression helps in customizing which part do we want to extract out of object of client certificate as our user, like first middle or what ever as specified in regular expression and I was getting null user because of invalid regular expression.

Further more, attribute subject-principal-regex is optional and if we don't provided it explicitly then corresponding class (SubjectDnX509PrincipalExtractor) constrtuctor provides it with following, by default regex "CN=(.*?)(?:,|$)"