spring-security/docs/modules/ROOT/pages/reactive/authentication/x509.adoc

[[reactive-x509]]
= Reactive X.509 Authentication

Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.

Below is an example of a reactive x509 security configuration:
====
.Java
[source,java,role="primary"]
----
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	http
		.x509(withDefaults())
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().permitAll()
		);
	return http.build();
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}
----
====

In the configuration above, when neither `principalExtractor` nor `authenticationManager` is provided defaults will be used. The default principal extractor is `SubjectDnX509PrincipalExtractor` which extracts the CN (common name) field from a certificate provided by a client. The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager` which performs user account validation, checking that user account with a name extracted by `principalExtractor` exists and it is not locked, disabled, or expired.

The next example demonstrates how these defaults can be overridden.

====
.Java
[source,java,role="primary"]
----
@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
	SubjectDnX509PrincipalExtractor principalExtractor =
	        new SubjectDnX509PrincipalExtractor();

	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");

	ReactiveAuthenticationManager authenticationManager = authentication -> {
		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
		return Mono.just(authentication);
	};

	http
		.x509(x509 -> x509
		    .principalExtractor(principalExtractor)
		    .authenticationManager(authenticationManager)
		)
		.authorizeExchange(exchanges -> exchanges
		    .anyExchange().authenticated()
		);
	return http.build();
}
----

.Kotlin
[source,kotlin,role="secondary"]
----
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
        Mono.just(authentication)
    }
    return http {
        x509 {
            principalExtractor = customPrincipalExtractor
            authenticationManager = customAuthenticationManager
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}
----
====

In this example, a username is extracted from the OU field of a client certificate instead of CN, and account lookup using `ReactiveUserDetailsService` is not performed at all. Instead, if the provided certificate issued to an OU named "Trusted Org Unit", a request will be authenticated.

For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, please refer to https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			`[[reactive-x509]]`
			`= Reactive X.509 Authentication`

mkdir -p build/ids find -name ".adoc" \| xargs -I{file} awk -v file={file} '/\[\[/ { gsub("\[\|\]", ""); id=$0; gsub("./docs/modules/ROOT/pages/", "", file); gsub("\[\|\]", ""); id=$0;getline;text=$0; sub("^=+ ","", text); print file > "build/ids/"id".id"; print text > "build/ids/"id".text" }' {file} find docs/modules -name ".adoc"\|while read adoc_file_to_replace; do echo "Replacing $adoc_file_to_replace" for id_file in build/ids/*.id; do id=$(basename $id_file \| sed 's/\.id$//') xref_page=$(cat $id_file) if [[ "$adoc_file_to_replace" -ef "./docs/modules/ROOT/pages/$xref_page" ]] then echo " - Skipping same page refid $id " else sed -i -E "s%<<$id(\|,([^,>]+))>>%xref:${xref_page}#${id}[\2]%g" $adoc_file_to_replace fi done done 2021-07-30 17:56:54 -04:00			`Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00
			`Below is an example of a reactive x509 security configuration:`
Add remaining Kotlin samples to reference docs Closes gh-8172 2021-06-24 05:49:13 -04:00			`====`
			`.Java`
			`[source,java,role="primary"]`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-24 12:15:32 -04:00			`public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`http`
			`.x509(withDefaults())`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 07:10:36 -05:00			`.authorizeExchange(exchanges -> exchanges`
			`.anyExchange().permitAll()`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`);`
			`return http.build();`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			`}`
			`----`

Add remaining Kotlin samples to reference docs Closes gh-8172 2021-06-24 05:49:13 -04:00			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {`
			`return http {`
			`x509 { }`
			`authorizeExchange {`
			`authorize(anyExchange, authenticated)`
			`}`
			`}`
			`}`
			`----`
			`====`

Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			In the configuration above, when neither `principalExtractor` nor `authenticationManager` is provided defaults will be used. The default principal extractor is `SubjectDnX509PrincipalExtractor` which extracts the CN (common name) field from a certificate provided by a client. The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager` which performs user account validation, checking that user account with a name extracted by `principalExtractor` exists and it is not locked, disabled, or expired.

			`The next example demonstrates how these defaults can be overridden.`

Add remaining Kotlin samples to reference docs Closes gh-8172 2021-06-24 05:49:13 -04:00			`====`
			`.Java`
			`[source,java,role="primary"]`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			`----`
			`@Bean`
Remove exceptions from lambda security configuration Fixes: gh-7128 2019-07-24 12:15:32 -04:00			`public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`SubjectDnX509PrincipalExtractor principalExtractor =`
			`new SubjectDnX509PrincipalExtractor();`

			`principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,\|$)");`

			`ReactiveAuthenticationManager authenticationManager = authentication -> {`
			`authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));`
			`return Mono.just(authentication);`
			`};`

			`http`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 07:10:36 -05:00			`.x509(x509 -> x509`
			`.principalExtractor(principalExtractor)`
			`.authenticationManager(authenticationManager)`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`)`
Use standard lambda syntax in documentation Fixes: gh-7774 2020-01-10 07:10:36 -05:00			`.authorizeExchange(exchanges -> exchanges`
			`.anyExchange().authenticated()`
Support nested builder in DSL for reactive apps Fixes: gh-7107 2019-07-22 09:31:10 -04:00			`);`
			`return http.build();`
Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			`}`
			`----`

Add remaining Kotlin samples to reference docs Closes gh-8172 2021-06-24 05:49:13 -04:00			`.Kotlin`
			`[source,kotlin,role="secondary"]`
			`----`
			`@Bean`
			`fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {`
			`val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()`
			`customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,\|$)")`
			`val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->`
			`authentication.isAuthenticated = "Trusted Org Unit" == authentication.name`
			`Mono.just(authentication)`
			`}`
			`return http {`
			`x509 {`
			`principalExtractor = customPrincipalExtractor`
			`authenticationManager = customAuthenticationManager`
			`}`
			`authorizeExchange {`
			`authorize(anyExchange, authenticated)`
			`}`
			`}`
			`}`
			`----`
			`====`

Add documentation on Reactive x509 security [gh #5038] 2019-01-16 15:32:37 -05:00			In this example, a username is extracted from the OU field of a client certificate instead of CN, and account lookup using `ReactiveUserDetailsService` is not performed at all. Instead, if the provided certificate issued to an OU named "Trusted Org Unit", a request will be authenticated.

master->main Closes gh-9683 2021-04-26 17:50:35 -04:00			For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, please refer to https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.