Added second version to authenticate with client certificates.

spring-security-x509/basic-secured-server/src/main/java/com/baeldung/spring/security/x509/UserController.java

@@ -1,5 +1,6 @@
 package com.baeldung.spring.security.x509;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -10,6 +11,7 @@ import java.security.Principal;
 
 @Controller
 public class UserController {
+    @PreAuthorize("hasAuthority('ROLE_USER')")
     @RequestMapping(value = "/user")
     public String user(Model model, Principal principal) {
         UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();

spring-security-x509/basic-secured-server/src/main/java/com/baeldung/spring/security/x509/X509AuthenticationServer.java

@@ -1,11 +1,48 @@
 package com.baeldung.spring.security.x509;
 
+import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.boot.SpringApplication;
 import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
 
 @SpringBootApplication
-public class X509AuthenticationServer {
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
+
     public static void main(String[] args) {
         SpringApplication.run(X509AuthenticationServer.class, args);
     }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().anyRequest().authenticated()
+                .and()
+                .x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
+    }
+
+    @Bean
+    public UserDetailsService userDetailsService() {
+        return new UserDetailsService() {
+            @Override
+            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+                if (username.equals("cid")) {
+                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
+                }
+                throw new UsernameNotFoundException("User not found!");
+            }
+        };
+    }
 }

spring-security-x509/basic-secured-server/src/main/resources/application.properties

@@ -5,4 +5,7 @@ server.ssl.key-password=${PASSWORD}
 server.ssl.enabled=true
 server.port=8443
 security.user.name=Admin
-security.user.password=admin
+security.user.password=admin
+server.ssl.trust-store=../keystore/truststore.jks
+server.ssl.trust-store-password=${PASSWORD}
+server.ssl.client-auth=need

spring-security-x509/client-auth-server/pom.xml

@@ -4,12 +4,12 @@
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>com.baeldung.spring.security</groupId>
-    <artifactId>server</artifactId>
+    <artifactId>client-auth-server</artifactId>
     <version>0.0.1-SNAPSHOT</version>
     <packaging>jar</packaging>
 
-    <name>server</name>
+    <name>client-auth-server</name>
-    <description>Spring x.509 Authentication Demo</description>
+    <description>Spring x.509 Client Authentication Demo</description>
 
     <parent>
         <groupId>org.springframework.boot</groupId>

spring-security-x509/client-auth-server/src/main/java/com/baeldung/spring/security/x509/UserController.java

@@ -1,5 +1,6 @@
 package com.baeldung.spring.security.x509;
 
+import org.springframework.security.access.prepost.PreAuthorize;
 import org.springframework.security.core.Authentication;
 import org.springframework.security.core.userdetails.UserDetails;
 import org.springframework.stereotype.Controller;
@@ -9,8 +10,8 @@ import org.springframework.web.bind.annotation.RequestMapping;
 import java.security.Principal;
 
 @Controller
-public class UserResource {
+public class UserController {
-
+    @PreAuthorize("hasAuthority('ROLE_USER')")
     @RequestMapping(value = "/user")
     public String user(Model model, Principal principal) {
         UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();

spring-security-x509/client-auth-server/src/main/java/com/baeldung/spring/security/x509/X509AuthenticationServer.java

@@ -0,0 +1,47 @@
+package com.baeldung.spring.security.x509;
+
+import org.springframework.beans.factory.annotation.Autowired;
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.authentication.AuthenticationManager;
+import org.springframework.security.config.annotation.authentication.builders.AuthenticationManagerBuilder;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.builders.WebSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+@SpringBootApplication
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
+    public static void main(String[] args) {
+        SpringApplication.run(X509AuthenticationServer.class, args);
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().anyRequest().authenticated()
+          .and()
+          .x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
+    }
+
+    @Bean
+    public UserDetailsService userDetailsService() {
+        return new UserDetailsService() {
+            @Override
+            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+                if (username.equals("cid")) {
+                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
+                }
+                throw new UsernameNotFoundException("User not found!");
+            }
+        };
+    }
+}

spring-security-x509/client-auth-server/src/main/resources/application.properties

@@ -1,8 +1,11 @@
 server.ssl.key-store=../keystore/keystore.jks
 server.ssl.key-store-password=${PASSWORD}
-server.ssl.key-alias=localhost
+server.ssl.key-alias=${HOSTNAME}
 server.ssl.key-password=${PASSWORD}
 server.ssl.enabled=true
 server.port=8443
 security.user.name=Admin
-security.user.password=admin
+security.user.password=admin
+server.ssl.trust-store=../keystore/truststore.jks
+server.ssl.trust-store-password=${PASSWORD}
+server.ssl.client-auth=need

spring-security-x509/client-auth-server/src/main/resources/templates/user.html

@@ -1,9 +1,9 @@
 <!DOCTYPE html>
 <html xmlns:th="http://www.thymeleaf.org">
 <head>
-    <title>X.509 Authentication Demo</title>
+<title>X.509 Authentication Demo</title>
 </head>
 <body>
-<h2>Hello <span th:text="${username}"/>!</h2>
+	<h2>Hello <span th:text="${username}"/>!</h2>
 </body>
 </html>

spring-security-x509/client-auth-server/src/test/java/com/baeldung/spring/security/x509/X509AuthenticationServerTests.java

@@ -8,9 +8,7 @@ import org.springframework.test.context.junit4.SpringRunner;
 @RunWith(SpringRunner.class)
 @SpringBootTest
 public class X509AuthenticationServerTests {
-
     @Test
     public void contextLoads() {
     }
-
 }

spring-security-x509/keystore/Makefile

@@ -2,6 +2,7 @@ PASSWORD=changeit
 KEYSTORE=keystore.jks
 HOSTNAME=localhost
 CLIENTNAME=cid
+
 # CN = Common Name
 # OU = Organization Unit
 # O  = Organization Name
@@ -76,6 +77,11 @@ add-client:
 	keytool -import -trustcacerts -alias $(CLIENTNAME) \
 	    -file "$(CLIENTNAME).crt" \
 	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
+	# Export private certificate for importing into a browser
+	keytool -importkeystore -srcalias $(CLIENTNAME) \
+	    -srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
+	    -destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
+	    -deststoretype PKCS12
 
 clean:
 	# Remove generated artifacts

spring-security-x509/server/src/main/java/com/baeldung/spring/security/x509/X509AuthenticationServer.java

@@ -1,12 +0,0 @@
-package com.baeldung.spring.security.x509;
-
-import org.springframework.boot.SpringApplication;
-import org.springframework.boot.autoconfigure.SpringBootApplication;
-
-@SpringBootApplication
-public class X509AuthenticationServer {
-
-    public static void main(String[] args) {
-        SpringApplication.run(X509AuthenticationServer.class, args);
-    }
-}