Cwikius-Spring/spring-security
1
0
Fork 0
mirror of https://github.com/spring-projects/spring-security.git synced 2025-06-28 14:52:24 +00:00
Code Issues Packages Projects Releases Wiki Activity

SEC-701: Update X.509 Section

Browse Source 
http://jira.springframework.org/browse/SEC-701
This commit is contained in:
Luke Taylor 2008-03-09 13:24:13 +00:00
parent bd59e410e3
commit 8165e1d37f
1 changed files with 80 additions and 137 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

193
src/docbkx/x509-auth-provider.xml
View File

@ -1,134 +1,78 @@
<?xml version="1.0" encoding="UTF-8"?> <?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN" <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.4//EN"
"http://www.docbook.org/xml/4.4/docbookx.dtd"> "http://www.docbook.org/xml/4.4/docbookx.dtd">
<chapter id="x509"> <chapter id="x509">
<title>X509 Authentication</title> <title>X.509 Authentication</title>
<sect1 id="x509-overview"> <sect1 id="x509-overview">
<title>Overview</title> <title>Overview</title>
<para>The most common use of X.509 certificate authentication is in verifying the identity
<para>The most common use of X509 certificate authentication is in of a server when using SSL, most commonly when using HTTPS from a browser. The browser
verifying the identity of a server when using SSL, most commonly when will automatically check that the certificate presented by a server has been issued (ie
using HTTPS from a browser. The browser will automatically check that digitally signed) by one of a list of trusted certificate authorities which it
the certificate presented by a server has been issued (ie digitally
signed) by one of a list of trusted certificate authorities which it
maintains.</para> maintains.</para>
<para>You can also use SSL with <quote>mutual authentication</quote>; the server will then
<para>You can also use SSL with <quote>mutual authentication</quote>; request a valid certificate from the client as part of the SSL handshake. The server
the server will then request a valid certificate from the client as will authenticate the client by checking that it's certificate is signed by an
part of the SSL handshake. The server will authenticate the client by acceptable authority. If a valid certificate has been provided, it can be obtained
checking that it's certificate is signed by an acceptable authority. through the servlet API in an application. Spring Security X.509 module extracts the
If a valid certificate has been provided, it can be obtained through certificate using a filter and passes it to the configured X.509 authentication provider
the servlet API in an application. Spring Security X509 module to allow any additional application-specific checks to be applied. It also maps the
extracts the certificate using a filter and passes it to the certificate to an application user and loads that user's set of granted authorities for
configured X509 authentication provider to allow any additional use with the standard Spring Security infrastructure.</para>
application-specific checks to be applied. It also maps the <para>You should be familiar with using certificates and setting up client authentication
certificate to an application user and loads that user's set of for your servlet container before attempting to use it with Spring Security. Most of the
granted authorities for use with the standard Spring Security work is in creating and installing suitable certificates and keys. For example, if
infrastructure.</para> you're using Tomcat then read the instructions here <ulink
url="http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html"/>. It's important that
<para>You should be familiar with using certificates and setting up you get this working before trying it out with Spring Security</para>
client authentication for your servlet container before attempting to
use it with Spring Security. Most of the work is in creating and
installing suitable certificates and keys. For example, if you're
using Tomcat then read the instructions here <ulink
url="http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html"></ulink>.
It's important that you get this working before trying it out with
Spring Security</para>
</sect1> </sect1>
<sect1>
<sect1 id="x509-with-acegi"> <title>Adding X.509 Authentication to Your Web Application</title>
<title>Using X509 with Spring Security</title> <para> Enabling X.509 client authentication is very straightforward. Just add the <literal
>&lt;x509/&gt;</literal> element to your http security namespace configuration. <programlisting><![CDATA[
<para>With X509 authentication, there is no explicit login procedure <http>
so the implementation is relatively simple; there is no need to ...
redirect requests in order to interact with the user. As a result, <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
some of the classes behave slightly differently from their equivalents ...
in other packages. For example, the default <quote>entry point</quote> </http>]]>
class, which is normally responsible for starting the authentication </programlisting> The element has two optional attributes: <itemizedlist>
process, is only invoked if the certificate is rejected and it always
returns an error to the user. With a suitable bean configuration, the
normal sequence of events is as follows <orderedlist>
<listitem> <listitem>
<para>The <classname>X509ProcessingFilter</classname> extracts <para><literal>subject-principal-regex</literal>. The regular expression used to
the certificate from the request and uses it as the credentials extract a username from the certificate's subject name. The default value is
for an authentication request. The generated authentication shown above. This is the username which will be passed to the <literal
request is an <classname>X509AuthenticationToken</classname>. >UserDetailsService</literal> to load the authorities for the
The request is passed to the authentication manager.</para> user.</para>
</listitem> </listitem>
<listitem> <listitem>
<para>The <classname>X509AuthenticationProvider</classname> <para><literal>user-service-ref</literal>. This is the bean Id of the
receives the token. Its main concern is to obtain the user <interfacename>UserDetailsService</interfacename> to be used with X.509.
information (in particular the user's granted authorities) that It isn't needed if there is only one defined in your application
matches the certificate. It delegates this responsibility to an context.</para>
<interfacename>X509AuthoritiesPopulator</interfacename>.</para>
</listitem> </listitem>
</itemizedlist> The <literal>subject-principal-regex</literal> should contain a single
<listitem> group. For example the default expression "CN=(.*?)," matches the common name field. So
<para>The populator's single method, if the subject name in the certificate is "CN=Jimi Hendrix, OU=...", this will give a
<methodname>getUserDetails(X509Certificate user name of "Jimi Hendrix". The matches are case insensitive. So "emailAddress=(.?),"
userCertificate)</methodname> is invoked. Implementations should will match "EMAILADDRESS=jimi@hendrix.org,CN=..." giving a user name "jimi@hendrix.org".
return a <classname>UserDetails</classname> instance containing If the client presents a certificate and a valid username is successfully extracted,
the array of <classname>GrantedAuthority</classname> objects for then there should be a valid <classname>Authentication</classname> object in the
the user. This method can also choose to reject the certificate security context. If no certificate is found, or no corresponding user could be found
(for example if it doesn't contain a matching user name). In then the security context will remain empty. This means that you can easily use X.509
such cases it should throw a authentication with other options such as a form-based login. </para>
<exceptionname>BadCredentialsException</exceptionname>. A
DAO-based implementation,
<classname>DaoX509AuthoritiesPopulator</classname>, is provided
which extracts the user's name from the subject <quote>common
name</quote> (CN) in the certificate. It also allows you to set
your own regular expression to match a different part of the
subject's distinguished name. A UserDetailsService is used to
load the user information.<!-- TODO: Give email matching as an example --></para>
</listitem>
<listitem>
<para>If everything has gone smoothly then there should be a
valid <classname>Authentication</classname> object in the secure
context and the invocation will procede as normal. If no
certificate was found, or the certificate was rejected, then the
<classname>ExceptionTranslationFilter</classname> will invoke
the <classname>X509ProcessingFilterEntryPoint</classname> which
returns a 403 error (forbidden) to the user.</para>
</listitem>
</orderedlist></para>
</sect1> </sect1>
<sect1 id="x509-config"> <sect1 id="x509-config">
<title>Configuration</title> <title>Configuring Tomcat</title>
<para>There are some pre-generated certificates in the Spring Security
<para>There is a version of the <link <filename>samples/certificate</filename> directory which you can use to enable SSL. The file
linkend="contacts-sample">Contacts Sample Application</link> which <filename>server.jks</filename> contains the server certificate, private key and the
uses X509. Copy the beans and filter setup from this as a starting issuing certificate authority. There are also some client certificate files for the users from the
point for configuring your own application. A set of example sample applications. You can install these in your browser to enable SSL client authentication.
certificates is also included which you can use to configure your </para>
server. These are <itemizedlist> <para>
<listitem> To enable SSL in tomcat <filename>server.xml</filename> file looks like this
<para><filename>user.p12</filename>: A PKCS12 format file <programlisting><![CDATA[
containing the client key and certificate. These should be <!-- SSL/TLS Connector configuration -->
installed in your browser. It maps to a use in the <Connector port="8443" address="${jboss.bind.address}"
application.</para>
</listitem>
<listitem>
<para><filename>server.p12</filename>: The server certificate
and key for HTTPS connections.</para>
</listitem>
<listitem>
<para><filename>ca.jks</filename>: A Java keystore containing
the certificate for the authority which issued the user's
certificate. This will be used by the container to validate
client certificates.</para>
</listitem>
</itemizedlist> For JBoss 3.2.7 (with Tomcat 5.0), the SSL
configuration in the <filename>server.xml</filename> file looks like
this <programlisting>
&lt;!-- SSL/TLS Connector configuration --&gt;
&lt;Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" minSpareThreads="5" maxSpareThreads="15" maxThreads="100" minSpareThreads="5" maxSpareThreads="15"
scheme="https" secure="true" scheme="https" secure="true"
sslProtocol = "TLS" sslProtocol = "TLS"
@ -136,13 +80,12 @@
keystoreType="PKCS12" keystorePass="password" keystoreType="PKCS12" keystorePass="password"
truststoreFile="${jboss.server.home.dir}/conf/ca.jks" truststoreFile="${jboss.server.home.dir}/conf/ca.jks"
truststoreType="JKS" truststorePass="password" truststoreType="JKS" truststorePass="password"
/&gt; /> ]]>
</programlisting>
</programlisting><parameter>clientAuth</parameter> can also be set to <parameter>clientAuth</parameter> can also be set to <parameter>want</parameter> if you still
<parameter>want</parameter> if you still want SSL connections to want SSL connections to succeed even if the client doesn't provide a certificate.
succeed even if the client doesn't provide a certificate. Obviously Obviously these clients won't be able to access any objects secured by Spring Security
these clients won't be able to access any objects secured by Spring (unless you use a non-X509 authentication mechanism, such as BASIC authentication, to
Security (unless you use a non-X509 authentication mechanism, such as authenticate the user)</para>
BASIC authentication, to authenticate the user)</para>
</sect1> </sect1>
</chapter> </chapter>