mirror of
				https://github.com/spring-projects/spring-security.git
				synced 2025-10-25 19:58:48 +00:00 
			
		
		
		
	
		
			
				
	
	
		
			21 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
			
		
		
	
	
			21 lines
		
	
	
		
			1.5 KiB
		
	
	
	
		
			Plaintext
		
	
	
	
	
	
| [[reactive-x509]]
 | |
| = Reactive X.509 Authentication
 | |
| 
 | |
| Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 authentication], the reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.
 | |
| 
 | |
| The following example shows a reactive x509 security configuration:
 | |
| 
 | |
| include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]
 | |
| 
 | |
| In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
 | |
| The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
 | |
| The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
 | |
| 
 | |
| The following example demonstrates how these defaults can be overridden:
 | |
| 
 | |
| include-code::./CustomX509Configuration[tag=springSecurity,indent=0]
 | |
| 
 | |
| In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.
 | |
| 
 | |
| For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
 |