JAVA-1130: Update the x509 mutual authentication codebase
This commit is contained in:
Krzysiek
parent
87ac7a74be
commit
647a6dc798
|
|
@ -1,92 +0,0 @@
|
|||
PASSWORD=changeit
|
||||
KEYSTORE=keystore.jks
|
||||
HOSTNAME=localhost
|
||||
CLIENTNAME=cid
|
||||
CLIENT_PRIVATE_KEY="${CLIENTNAME}_pk"
|
||||
|
||||
# CN = Common Name
|
||||
# OU = Organization Unit
|
||||
# O = Organization Name
|
||||
# L = Locality Name
|
||||
# ST = State Name
|
||||
# C = Country (2-letter Country Code)
|
||||
# E = Email
|
||||
DNAME_CA='CN=Baeldung CA,OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
||||
# For server certificates, the Common Name (CN) must be the hostname
|
||||
DNAME_HOST='CN=$(HOSTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
||||
DNAME_CLIENT='CN=$(CLIENTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
|
||||
TRUSTSTORE=truststore.jks
|
||||
|
||||
all: clean create-keystore add-host create-truststore add-client
|
||||
|
||||
create-keystore:
|
||||
# Generate a certificate authority (CA)
|
||||
keytool -genkey -alias ca -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
||||
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
||||
-validity 3650 -dname $(DNAME_CA) \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
|
||||
add-host:
|
||||
# Generate a host certificate
|
||||
keytool -genkey -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
||||
-validity 3650 -dname $(DNAME_HOST) \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
# Generate a host certificate signing request
|
||||
keytool -certreq -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
||||
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
|
||||
-validity 3650 -file "$(HOSTNAME).csr" \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
# Generate signed certificate with the certificate authority
|
||||
keytool -gencert -alias ca -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-validity 3650 -sigalg SHA512withRSA \
|
||||
-infile "$(HOSTNAME).csr" -outfile "$(HOSTNAME).crt" -rfc \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
# Import signed certificate into the keystore
|
||||
keytool -import -trustcacerts -alias $(HOSTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-file "$(HOSTNAME).crt" \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
|
||||
export-authority:
|
||||
# Export certificate authority
|
||||
keytool -export -alias ca -ext san=dns:localhost,ip:127.0.0.1 -file ca.crt -rfc \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
|
||||
|
||||
create-truststore: export-authority
|
||||
# Import certificate authority into a new truststore
|
||||
keytool -import -trustcacerts -noprompt -alias ca -ext san=dns:localhost,ip:127.0.0.1 -file ca.crt \
|
||||
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
||||
|
||||
add-client:
|
||||
# Generate client certificate
|
||||
keytool -genkey -alias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
|
||||
-validity 3650 -dname $(DNAME_CLIENT) \
|
||||
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
||||
# Generate a host certificate signing request
|
||||
keytool -certreq -alias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 -ext BC=ca:true \
|
||||
-keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
|
||||
-validity 3650 -file "$(CLIENTNAME).csr" \
|
||||
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
||||
# Generate signed certificate with the certificate authority
|
||||
keytool -gencert -alias ca -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-validity 3650 -sigalg SHA512withRSA \
|
||||
-infile "$(CLIENTNAME).csr" -outfile "$(CLIENTNAME).crt" -rfc \
|
||||
-keystore $(KEYSTORE) -storepass $(PASSWORD)
|
||||
# Import signed certificate into the truststore
|
||||
keytool -import -trustcacerts -alias $(CLIENTNAME) -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-file "$(CLIENTNAME).crt" \
|
||||
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
||||
# Export private certificate for importing into a browser
|
||||
keytool -importkeystore -srcalias $(CLIENT_PRIVATE_KEY) -ext san=dns:localhost,ip:127.0.0.1 \
|
||||
-srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
|
||||
-destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
|
||||
-deststoretype PKCS12
|
||||
# Delete client private key as truststore should not contain any private keys
|
||||
keytool -delete -alias $(CLIENT_PRIVATE_KEY) \
|
||||
-keystore $(TRUSTSTORE) -storepass $(PASSWORD)
|
||||
|
||||
clean:
|
||||
# Remove generated artifacts
|
||||
find . \( -name "$(CLIENTNAME)*" -o -name "$(HOSTNAME)*" -o -name "$(KEYSTORE)" -o -name "$(TRUSTSTORE)" -o -name ca.crt \) -type f -exec rm -f {} \;
|
||||
Binary file not shown.
|
|
@ -1,4 +1,4 @@
|
|||
server.ssl.key-store=keystore/keystore.jks
|
||||
server.ssl.key-store=store/keystore.jks
|
||||
server.ssl.key-store-password=changeit
|
||||
server.ssl.key-alias=localhost
|
||||
server.ssl.key-password=changeit
|
||||
|
|
|
|||
|
|
@ -23,7 +23,11 @@ public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
|
|||
|
||||
@Override
|
||||
protected void configure(HttpSecurity http) throws Exception {
|
||||
http.authorizeRequests().anyRequest().authenticated().and().x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
|
||||
http.authorizeRequests().anyRequest().authenticated()
|
||||
.and()
|
||||
.x509()
|
||||
.subjectPrincipalRegex("CN=(.*?)(?:,|$)")
|
||||
.userDetailsService(userDetailsService());
|
||||
}
|
||||
|
||||
@Bean
|
||||
|
|
@ -31,7 +35,7 @@ public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
|
|||
return new UserDetailsService() {
|
||||
@Override
|
||||
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
|
||||
if (username.equals("cid")) {
|
||||
if (username.equals("Bob")) {
|
||||
return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
|
||||
}
|
||||
throw new UsernameNotFoundException("User not found!");
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
server.ssl.key-store=../keystore/keystore.jks
|
||||
server.ssl.key-store=store/keystore.jks
|
||||
server.ssl.key-store-password=changeit
|
||||
server.ssl.key-alias=localhost
|
||||
server.ssl.key-password=changeit
|
||||
|
|
@ -6,6 +6,6 @@ server.ssl.enabled=true
|
|||
server.port=8443
|
||||
spring.security.user.name=Admin
|
||||
spring.security.user.password=admin
|
||||
server.ssl.trust-store=../keystore/truststore.jks
|
||||
server.ssl.trust-store=store/truststore.jks
|
||||
server.ssl.trust-store-password=changeit
|
||||
server.ssl.client-auth=need
|
||||
Binary file not shown.
Binary file not shown.
Binary file not shown.
|
|
@ -0,0 +1,30 @@
|
|||
-----BEGIN CERTIFICATE-----
|
||||
MIIFDzCCAvegAwIBAgIUHBIbl/8i0uLnPD8BuNHninzcqEMwDQYJKoZIhvcNAQEL
|
||||
BQAwFzEVMBMGA1UEAwwMQmFlbGR1bmcuY29tMB4XDTIwMDQxOTE2MTYyOFoXDTMw
|
||||
MDQxNzE2MTYyOFowFzEVMBMGA1UEAwwMQmFlbGR1bmcuY29tMIICIjANBgkqhkiG
|
||||
9w0BAQEFAAOCAg8AMIICCgKCAgEAx5UzDt8Q+p8fAERc8mb8vPJTMi1oTe3YsMjj
|
||||
QsMpRJBjVyQ2BLe0AzevQjDthCD56sv+u6EoBibIDQ3rtXUpTi20XQU6aaU6tsmG
|
||||
QBp/PapXU0qoRzoyTPjSpkjp8/VngH52adeQ0YFSQQfxzcFsEpIlceKC8bSqplQg
|
||||
mM9GoRLzEHu8JoLtHHQvZhTZabB/t0SUNy6O848OmoEjW2PCyMG/XczP0BlSFDT/
|
||||
3FIJlTnKe+MfhXxbYuydQQbStoDuRqkHxprjRaCT/PXeEuW68FahyiTgeKL5Ite9
|
||||
NI0k37mRsO/gMPIMgJDU0Soz0zcaRZdQDrxTZBk43i2O/LSwPtcpxvOy5JCLJSP7
|
||||
Ff6yx6BkkIAxLrWZGIQ0DiL4L+XocjEy3WMhzQ/ka6M1Zi0JxCRBOPpV2yO1GE7U
|
||||
NUVvHaHijiJlXGZ/YGzplkLGaPIPGLHRsJFf9+IDepyJ9+E2mKD1rXAYXrcGW/Hk
|
||||
Is1A2Je0iH4IjYTrieMSuHG4Jb0fytMAPoFOXnLS18xv7CPX0m9M2OIL9/kFfI+f
|
||||
4M7/mEOUwQw+Jt9EAz9QsjUdZ0ybT0gtq9GaIHBo844YbyEKe7Hzp5Msk4/+3qJz
|
||||
FHyC8ay73jkLDv1jOKr9D/wd/TOfSrytktcP+y96+gUdp1RxMxv9hfFSAZ0lXd2E
|
||||
X18X6RECAwEAAaNTMFEwHQYDVR0OBBYEFPIRVQmLHgzCWfvENpeURm3jt2K4MB8G
|
||||
A1UdIwQYMBaAFPIRVQmLHgzCWfvENpeURm3jt2K4MA8GA1UdEwEB/wQFMAMBAf8w
|
||||
DQYJKoZIhvcNAQELBQADggIBAGa6bvEvira9FJ559bRvnqNsdaybj++Q9ItRyejs
|
||||
BvLupLhhCnFWC1rX3WufpyGxgQCu4Lng+ZXtJxSo4dJL4wXDf5U+/EgL0nNQXhQh
|
||||
kcqm2k1GBgAPnKEt+9nF3326EchI7Vx7JV4AO89ifdfc3Z7q9MOWE4siro6JtK7l
|
||||
WWfv7LwT9QdDW/Ww7wUAOKdJYlUBzqMYHwEBnIhNMyuFejDzc2GmkZiIjFq5bKoN
|
||||
FpsjHCkPH4DdDhQKdwa1JRvML7r8IkVqL3NoSp2vkB07MkRiHtQL5R2/wI/WhiK2
|
||||
19YPeEP2fQc5NduFAqyz8VaxwskwtjCjUxJHKpEzUTa1n53X+0jx6yw7bmDnE4SW
|
||||
JEq9563apphJWeFTGCSuTvc98TcZvxWDW8FeLoaWdBF+Tohddje10BW2IUvrSJHI
|
||||
jh0LpWIJ6QTY+amwLF2USSgnBZwPZT34PS81FYmA1bn/Sa6uWc/dPZg9lvwKU6ta
|
||||
Z9K4loc8OF+FXQHruV+3tqzXybR9dZG3fvW4RPR9BgxApzSw8lYKAfR5Lth7ihVi
|
||||
/zlxZjvbXy0D+4xPg5OGwn3g/3n4XLhAMT87KvHc9VjbHt6uwmLgny+6Dw9JXuTC
|
||||
R004LuQe3wfUye4x9WmQD5Zlg1dENvezCG8l9z5LRUDF+Rh0qXPMpUCaCuT3TvEN
|
||||
clOH
|
||||
-----END CERTIFICATE-----
|
||||
Binary file not shown.
Loading…
Reference in New Issue