spring-security/docs/modules/ROOT/pages/reactive/authentication/x509.adoc

[[reactive-x509]]
= Reactive X.509 Authentication

Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], the reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.

The following example shows a reactive x509 security configuration:

include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]

In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.

The following example demonstrates how these defaults can be overridden:

include-code::./CustomX509Configuration[tag=springSecurity,indent=0]

In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.

For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00			`[[reactive-x509]]`
			`= Reactive X.509 Authentication`

Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			`Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], the reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Merge Clean up Reference Documentation Closes gh-9668 2021-12-13 16:57:36 -06:00			`The following example shows a reactive x509 security configuration:`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00			`include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00			In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
			The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
			The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The following example demonstrates how these defaults can be overridden:`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00			`include-code::./CustomX509Configuration[tag=springSecurity,indent=0]`
Add remaining Kotlin samples to reference docs Closes gh-8172 2021-06-24 11:49:13 +02:00
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00			In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 20:32:37 +00:00
Change to main The switch to main triggered some conflicts, which I have fixed in this commit. 2021-04-27 15:36:17 -05:00			For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.