mirror of
https://github.com/spring-projects/spring-security.git
synced 2025-07-01 16:22:15 +00:00
21 lines
1.5 KiB
Plaintext
21 lines
1.5 KiB
Plaintext
[[reactive-x509]]
|
|
= Reactive X.509 Authentication
|
|
|
|
Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], the reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.
|
|
|
|
The following example shows a reactive x509 security configuration:
|
|
|
|
include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]
|
|
|
|
In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
|
|
The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
|
|
The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
|
|
|
|
The following example demonstrates how these defaults can be overridden:
|
|
|
|
include-code::./CustomX509Configuration[tag=springSecurity,indent=0]
|
|
|
|
In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.
|
|
|
|
For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
|