Spring Security With X.509 Certificate

Question

I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application.

I have configured the server (jetty) to require client authentication (using a smart card). However, I cannot seem to get the applicationContext-security.xml and UserDetailsService implementation right.

First, from the application context file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:security="http://www.springframework.org/schema/security"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd">


<security:global-method-security secured-annotations="enabled" />

<security:http auto-config="true">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
    <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="accountService" />
</security:http>

<bean id="accountService" class="com.app.service.AccountServiceImpl"/>

The UserDetailsService looks like this:

public class AccountServiceImpl implements AccountService, UserDetailsService {

private static final Log log = LogFactory.getLog(AccountServiceImpl.class);

private AccountDao accountDao;

@Autowired
public void setAccountDao(AccountDao accountDao) {
    this.accountDao = accountDao;
}

public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, DataAccessException {

    log.debug("called loadUserByUsername()");
    System.out.println("called loadByUsername()");

    Account result = accountDao.getByEdpi(s);
    return result;

}

}

The application has a "front page" with a Login button, so access to that should not require any sort of authentication.

Any help is appreciated.

Answer 1

The application has a "front page" with a Login button, so access to that should not require any sort of authentication.

Something wrong is here. If you setup your servlet container to require client authentication, you cannot have such open-for-all page, in that case auth handshake won't success for users without smartcard and they won't even see container error page - It will be browser error instead.

It can be done making container to allow client auth and making login page open to anonymous users and secure other pages by SpringSec. But I won't recommend this for smartcard-PKI app. Smartcard auth implies security importance and it's more reliable to have non-smartcard users to thrown out early on container handshake. In that case you still can have user-friendly Login page on another port with a "Login" button linked to your app.

If you need help with SpringSecurity setup, please add more info about problems to your post.

Answer 2

From a configuration perspective, that looks fine. What is the error you're seeing? Are you seeing your UserDetailsService get invoked with the CN from X.509 cert?