Merge x509 certificates and login with spring security

Question

Merge x509 certificates and login with spring security

I want to configure my web app to support login (database credentials) or with x509 certificates (eId card reader), is this possible?

ApplicationContext-security.xml:

    <http use-expressions="true">
        <session-management invalid-session-url="${logout.url}" session-fixation-protection="newSession" >
           <concurrency-control max-sessions="1" error-if-maximum-exceeded="true" />
        </session-management>

        <intercept-url pattern="/index.zul" requires-channel="http" access="IS_AUTHENTICATED_ANONYMOUSLY" />        
        <intercept-url pattern="/restricted/admin/**" requires-channel="https" access="hasRole('ROLE_ADMIN')"  />       
        <intercept-url pattern="/restricted/**" requires-channel="https" access="hasAnyRole('ROLE_PUBLIC', 'ROLE_VDL', 'ROLE_ADMIN', 'ROLE_READ_ONLY')" />
        <x509 subject-principal-regex="SERIALNUMBER=(.*?)," user-service-ref="userDetailsService" />       


       <form-login login-page="/index.zul" default-target-url="/restricted/index.zul"
                    authentication-failure-url="/denied.html"
                    login-processing-url="/j_spring_security_check"/>
        <logout logout-success-url="/index.zul" invalidate-session="true" />
        <access-denied-handler error-page="/denied.html"></access-denied-handler>
</http>

<authentication-manager alias="authenticationManager">
        <authentication-provider>
            <jdbc-user-service data-source-ref="dataSource" id="userDetailsService"
                               authorities-by-username-query="SELECT u.username, a.authority
                                            FROM users u
                                            LEFT JOIN users_authorities ua ON u.username=ua.users_username
                                            LEFT JOIN authorities a ON ua.authorities_id=a.id
                                            WHERE username=?" />
        </authentication-provider>
</authentication-manager>

<beans:bean id="dataSource"
        class="org.springframework.jdbc.datasource.DriverManagerDataSource">
        <beans:property name="driverClassName" value="${jdbc.driverClassName}" />
        <beans:property name="url" value="${jdbc.url}" />
        <beans:property name="username" value="${jdbc.username}" />
        <beans:property name="password" value="${jdbc.password}" />
</beans:bean>

The login form works fine, but the login by certificate does not work, I am sure there is a suitable aproche to merge the two systems together, but I have not found a complete tutorial on the internet. Can anyone help me?

early.

+3

spring security authentication login x509

criflou Jul 27. 15 at 13:34

source to share

1 answer

criflou · Answer 1 · 2015-07-29T08:01:22+0000

thanks for your comments and suggestions, I changed my settings and it seems to work fine, here is my new application context security file:

<http use-expressions="true" auto-config="true" access-denied-page="/denied"
      authentication-manager-ref="authenticationManager">

    <intercept-url pattern="/index"  access="permitAll"  />
    <intercept-url pattern="/restricted/admin"  access="hasRole('ROLE_ADMIN')" requires-channel="https"  />
    <intercept-url pattern="/restricted" requires-channel="https"  access="hasAnyRole('ROLE_PUBLIC', 'ROLE_VDL', 'ROLE_ADMIN', 'ROLE_READ_ONLY')" />

    <form-login login-page="/index.zul" default-target-url="/restricted/index.zul"
                authentication-failure-url="/denied.html"
                login-processing-url="/j_spring_security_check"/>
    <x509 subject-principal-regex="SERIALNUMBER=(.*?)," user-service-ref="x509DS" />
    <logout logout-success-url="/index.zul" invalidate-session="true"  /> <!--${logout.url}-->
</http>


<beans:bean id="authenticationManager" class="org.springframework.security.authentication.ProviderManager">
    <beans:property name="providers">
        <beans:list>
            <beans:ref bean="authenticationProvider" />
        </beans:list>
    </beans:property>
</beans:bean>

<beans:bean id="authenticationProvider" class="org.springframework.security.authentication.dao.DaoAuthenticationProvider">
    <beans:property name="userDetailsService" ref="formDS"  />
</beans:bean>

<jdbc-user-service data-source-ref="dataSource" id="formDS"
                                        authorities-by-username-query="SELECT u.username, a.authority
                                        FROM users u
                                        LEFT JOIN users_authorities ua ON u.username=ua.users_username
                                        LEFT JOIN authorities a ON ua.authorities_id=a.id
                                        WHERE username=? AND u.canlogwithform=TRUE
                                        AND expirationdate >= now() " />

<jdbc-user-service data-source-ref="dataSource" id="x509DS" authorities-by-username-query="SELECT u.username, a.authority
                                        FROM users u
                                        LEFT JOIN users_authorities ua ON u.username=ua.users_username
                                        LEFT JOIN authorities a ON ua.authorities_id=a.id
                                        WHERE username=?"  />

Merge x509 certificates and login with spring security

More articles: