spring-security/docs/modules/ROOT/pages/servlet/authentication/x509.adoc

[[servlet-x509]]
= X.509 Authentication

[[x509-overview]]
The most common use of X.509 certificate authentication is in verifying the identity of a server when using SSL, most commonly when using HTTPS from a browser.
The browser automatically checks that the certificate presented by a server has been issued (digitally signed) by one of a list of trusted certificate authorities that it maintains.

You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
The server authenticates the client by checking that its certificate is signed by an acceptable authority.
If a valid certificate has been provided, it can be obtained through the servlet API in an application.
For example, if you use Tomcat, you should read the https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html[Tomcat SSL instructions].
You should get this working before trying it out with Spring Security.

The Spring Security X.509 module extracts the certificate by using a filter.
It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure, specifically including at least the `FACTOR_X509` authority when <<servlet-x509-config, using the `HttpSecurity` DSL>>.

[[servlet-x509-config]]
== Adding X.509 Authentication to Your Web Application

Similar to xref:reactive/authentication/x509.adoc[Reactive X.509 authentication], the servlet x509 authentication filter allows extracting an authentication token from a certificate provided by a client.

The following example shows a reactive x509 security configuration:

include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]

In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.

The following example demonstrates how these defaults can be overridden:

include-code::./CustomX509Configuration[tag=springSecurity,indent=0]

In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.

For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.


[[x509-ssl-config]]
== Setting up SSL in Tomcat
There are some pre-generated certificates in the {gh-samples-url}/servlet/java-configuration/authentication/x509/server[Spring Security Samples repository].
You can use these to enable SSL for testing if you do not want to generate your own.
The `server.jks` file contains the server certificate, the private key, and the issuing authority certificate.
There are also some client certificate files for the users from the sample applications.
You can install these in your browser to enable SSL client authentication.

To run tomcat with SSL support, drop the `server.jks` file into the tomcat `conf` directory and add the following connector to the `server.xml` file:

[source,xml]
----
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
			clientAuth="true" sslProtocol="TLS"
			keystoreFile="${catalina.home}/conf/server.jks"
			keystoreType="JKS" keystorePass="password"
			truststoreFile="${catalina.home}/conf/server.jks"
			truststoreType="JKS" truststorePass="password"
/>
----

`clientAuth` can also be set to `want` if you still want SSL connections to succeed even if the client does not provide a certificate.
Clients that do not present a certificate cannot access any objects secured by Spring Security unless you use a non-X.509 authentication mechanism, such as form authentication.
Polish Authentication 2020-03-02 22:45:45 -06:00			`[[servlet-x509]]`
Remove include servlet/saml2/index.adoc 2021-07-30 13:52:15 -05:00			`= X.509 Authentication`
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00
			`[[x509-overview]]`
			`The most common use of X.509 certificate authentication is in verifying the identity of a server when using SSL, most commonly when using HTTPS from a browser.`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`The browser automatically checks that the certificate presented by a server has been issued (digitally signed) by one of a list of trusted certificate authorities that it maintains.`
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			You can also use SSL with "`mutual authentication`". The server then requests a valid certificate from the client as part of the SSL handshake.
			`The server authenticates the client by checking that its certificate is signed by an acceptable authority.`
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00			`If a valid certificate has been provided, it can be obtained through the servlet API in an application.`
Update links in adocs Spring Security 6.0 requires Spring 6.0 as a minimum and Spring 6.0 requires a minimum of Tomcat 10/Jetty 11 Closes gh-13565 2023-07-20 10:26:08 +09:00			`For example, if you use Tomcat, you should read the https://tomcat.apache.org/tomcat-10.1-doc/ssl-howto.html[Tomcat SSL instructions].`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`You should get this working before trying it out with Spring Security.`
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00
Reformatted lines in x509 overview documentation Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com> 2025-04-29 03:17:14 +06:00			`The Spring Security X.509 module extracts the certificate by using a filter.`
Document Authentication Factors Issue gh-17933 2025-09-19 11:31:26 -06:00			It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure, specifically including at least the `FACTOR_X509` authority when <<servlet-x509-config, using the `HttpSecurity` DSL>>.
Reformatted lines in x509 overview documentation Signed-off-by: Soumik Sarker <ronodhirsoumik@gmail.com> 2025-04-29 03:17:14 +06:00
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00			`[[servlet-x509-config]]`
Remove include servlet/saml2/index.adoc 2021-07-30 13:52:15 -05:00			`== Adding X.509 Authentication to Your Web Application`
Update x509 Reference - Use include-code - Demo how to customize SubjectX500PrincipalExtractor 2025-06-11 08:41:38 -05:00
			`Similar to xref:reactive/authentication/x509.adoc[Reactive X.509 authentication], the servlet x509 authentication filter allows extracting an authentication token from a certificate provided by a client.`

			`The following example shows a reactive x509 security configuration:`

			`include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]`

			In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
			The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
			The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.

			`The following example demonstrates how these defaults can be overridden:`

			`include-code::./CustomX509Configuration[tag=springSecurity,indent=0]`

			In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.

			For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.

Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00
			`[[x509-ssl-config]]`
Remove include servlet/saml2/index.adoc 2021-07-30 13:52:15 -05:00			`== Setting up SSL in Tomcat`
Update links to point to migrated samples Closes gh-9816 2021-06-21 09:56:05 -03:00			`There are some pre-generated certificates in the {gh-samples-url}/servlet/java-configuration/authentication/x509/server[Spring Security Samples repository].`
Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`You can use these to enable SSL for testing if you do not want to generate your own.`
			The `server.jks` file contains the server certificate, the private key, and the issuing authority certificate.
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00			`There are also some client certificate files for the users from the sample applications.`
			`You can install these in your browser to enable SSL client authentication.`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			To run tomcat with SSL support, drop the `server.jks` file into the tomcat `conf` directory and add the following connector to the `server.xml` file:
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00
			`[source,xml]`
			`----`
			`<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"`
			`clientAuth="true" sslProtocol="TLS"`
			`keystoreFile="${catalina.home}/conf/server.jks"`
			`keystoreType="JKS" keystorePass="password"`
			`truststoreFile="${catalina.home}/conf/server.jks"`
			`truststoreType="JKS" truststorePass="password"`
			`/>`
			`----`

Editing pass I went through everything to get it to fit with Spring's docuemntation standard. Lots of small changes for punctuation, grammar, usage, voice, and so on. Also added some links, mostly to the API Javadoc. 2021-04-21 16:01:26 -05:00			`clientAuth` can also be set to `want` if you still want SSL connections to succeed even if the client does not provide a certificate.
			`Clients that do not present a certificate cannot access any objects secured by Spring Security unless you use a non-X.509 authentication mechanism, such as form authentication.`
Extract additional-topics subsections Issue: gh-2567 2018-03-06 11:58:02 -06:00