Client certificate authentication in spring security

Question

I need to configure 'Client certificate authentication' in Glassfish 3. I tried many scenarios but couldn't configure. The requirement is - the user who imported the .cer file can alone access the application.

So we need to configure in such a way that we need to validate the .cer file that is uploaded into the browser (through which the client is trying to access the application).

Once the certificate file is validated, then we need to show the login screen (form-login). Further we validate the username/password of the user.

I tried several configuratiosn (in applicationCOntext-security.xml file) but in vain.

Can anyone tell how to configure spring security so that both the client certicate authentication (done first) and then the form-login (done next)?

Answer 1

Spring does not do SSL its Glassfish that is setting up the SSL connection. By the time the request has arrived in Spring security all spring security knows is that the request came in over a secure channel but does not know how the secure channel was configured.

To setup client certificate authentication you need to configure glassfish to require a client side certificate to setup the SSL connection and to refuse the connection if the client does not provide a valid certificate.

This way you will get the behavior you want if the client does not present a valid certificate to glassfish glassfish never routes the call to spring.

I do know how to setup client side ssl authentication with glass fish so I can't help you with exact details, but google should know the answer.