Merge branch 'pr/585-christian-mutual-auth'

pom.xml

@@ -99,6 +99,7 @@
         <module>spring-security-rest-custom</module>
         <module>spring-security-rest-digest-auth</module>
         <module>spring-security-rest-full</module>
+        <module>spring-security-x509</module>
         <module>spring-thymeleaf</module>
         <module>spring-zuul</module>
         <module>jsf</module>

spring-security-x509/basic-secured-server/pom.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>basic-secured-server</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>basic-secured-server</name>
+    <description>Spring x.509 Authentication Demo</description>
+
+    <parent>
+        <groupId>com.baeldung</groupId>
+        <artifactId>spring-security-x509</artifactId>
+        <version>0.0.1-SNAPSHOT</version>
+    </parent>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>

spring-security-x509/basic-secured-server/src/main/java/com/baeldung/spring/security/x509/UserController.java

@@ -0,0 +1,21 @@
+package com.baeldung.spring.security.x509;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import java.security.Principal;
+
+@Controller
+public class UserController {
+    @PreAuthorize("hasAuthority('ROLE_USER')")
+    @RequestMapping(value = "/user")
+    public String user(Model model, Principal principal) {
+        UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();
+        model.addAttribute("username", currentUser.getUsername());
+        return "user";
+    }
+}

spring-security-x509/basic-secured-server/src/main/java/com/baeldung/spring/security/x509/X509AuthenticationServer.java

@@ -0,0 +1,22 @@
+package com.baeldung.spring.security.x509;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+@SpringBootApplication
+@EnableWebSecurity
+public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
+    public static void main(String[] args) {
+        SpringApplication.run(X509AuthenticationServer.class, args);
+    }
+}

spring-security-x509/basic-secured-server/src/main/resources/application.properties

@@ -0,0 +1,8 @@
+server.ssl.key-store=../keystore/keystore.jks
+server.ssl.key-store-password=changeit
+server.ssl.key-alias=localhost
+server.ssl.key-password=changeit
+server.ssl.enabled=true
+server.port=8443
+security.user.name=Admin
+security.user.password=admin

spring-security-x509/basic-secured-server/src/main/resources/templates/user.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>X.509 Authentication Demo</title>
+    </head>
+    <body>
+        <h2>Hello <span th:text="${username}" />!</h2>
+    </body>
+</html>

spring-security-x509/basic-secured-server/src/test/java/com/baeldung/spring/security/x509/X509AuthenticationServerTests.java

@@ -0,0 +1,14 @@
+package com.baeldung.spring.security.x509;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+public class X509AuthenticationServerTests {
+    @Test
+    public void contextLoads() {
+    }
+}

spring-security-x509/client-auth-server/pom.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <artifactId>client-auth-server</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <packaging>jar</packaging>
+
+    <name>client-auth-server</name>
+    <description>Spring x.509 Client Authentication Demo</description>
+
+    <parent>
+        <groupId>com.baeldung</groupId>
+        <artifactId>spring-security-x509</artifactId>
+        <version>0.0.1-SNAPSHOT</version>
+    </parent>
+
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.springframework.boot</groupId>
+                <artifactId>spring-boot-maven-plugin</artifactId>
+            </plugin>
+        </plugins>
+    </build>
+</project>

spring-security-x509/client-auth-server/src/main/java/com/baeldung/spring/security/x509/UserController.java

@@ -0,0 +1,21 @@
+package com.baeldung.spring.security.x509;
+
+import org.springframework.security.access.prepost.PreAuthorize;
+import org.springframework.security.core.Authentication;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.stereotype.Controller;
+import org.springframework.ui.Model;
+import org.springframework.web.bind.annotation.RequestMapping;
+
+import java.security.Principal;
+
+@Controller
+public class UserController {
+    @PreAuthorize("hasAuthority('ROLE_USER')")
+    @RequestMapping(value = "/user")
+    public String user(Model model, Principal principal) {
+        UserDetails currentUser = (UserDetails) ((Authentication) principal).getPrincipal();
+        model.addAttribute("username", currentUser.getUsername());
+        return "user";
+    }
+}

spring-security-x509/client-auth-server/src/main/java/com/baeldung/spring/security/x509/X509AuthenticationServer.java

@@ -0,0 +1,43 @@
+package com.baeldung.spring.security.x509;
+
+import org.springframework.boot.SpringApplication;
+import org.springframework.boot.autoconfigure.SpringBootApplication;
+import org.springframework.context.annotation.Bean;
+import org.springframework.security.config.annotation.method.configuration.EnableGlobalMethodSecurity;
+import org.springframework.security.config.annotation.web.builders.HttpSecurity;
+import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
+import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
+import org.springframework.security.core.authority.AuthorityUtils;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.core.userdetails.UserDetailsService;
+import org.springframework.security.core.userdetails.UsernameNotFoundException;
+
+@SpringBootApplication
+@EnableWebSecurity
+@EnableGlobalMethodSecurity(prePostEnabled = true)
+public class X509AuthenticationServer extends WebSecurityConfigurerAdapter {
+    public static void main(String[] args) {
+        SpringApplication.run(X509AuthenticationServer.class, args);
+    }
+
+    @Override
+    protected void configure(HttpSecurity http) throws Exception {
+        http.authorizeRequests().anyRequest().authenticated()
+          .and()
+          .x509().subjectPrincipalRegex("CN=(.*?)(?:,|$)").userDetailsService(userDetailsService());
+    }
+
+    @Bean
+    public UserDetailsService userDetailsService() {
+        return new UserDetailsService() {
+            @Override
+            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
+                if (username.equals("cid")) {
+                    return new User(username, "", AuthorityUtils.commaSeparatedStringToAuthorityList("ROLE_USER"));
+                }
+                throw new UsernameNotFoundException("User not found!");
+            }
+        };
+    }
+}

spring-security-x509/client-auth-server/src/main/resources/application.properties

@@ -0,0 +1,11 @@
+server.ssl.key-store=../keystore/keystore.jks
+server.ssl.key-store-password=changeit
+server.ssl.key-alias=localhost
+server.ssl.key-password=changeit
+server.ssl.enabled=true
+server.port=8443
+security.user.name=Admin
+security.user.password=admin
+server.ssl.trust-store=../keystore/truststore.jks
+server.ssl.trust-store-password=changeit
+server.ssl.client-auth=need

spring-security-x509/client-auth-server/src/main/resources/templates/user.html

@@ -0,0 +1,9 @@
+<!DOCTYPE html>
+<html xmlns:th="http://www.thymeleaf.org">
+    <head>
+        <title>X.509 Authentication Demo</title>
+    </head>
+    <body>
+        <h2>Hello <span th:text="${username}"/>!</h2>
+    </body>
+</html>

spring-security-x509/client-auth-server/src/test/java/com/baeldung/spring/security/x509/X509AuthenticationServerTests.java

@@ -0,0 +1,14 @@
+package com.baeldung.spring.security.x509;
+
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.springframework.boot.test.context.SpringBootTest;
+import org.springframework.test.context.junit4.SpringRunner;
+
+@RunWith(SpringRunner.class)
+@SpringBootTest
+public class X509AuthenticationServerTests {
+    @Test
+    public void contextLoads() {
+    }
+}

spring-security-x509/keystore/Makefile

@@ -0,0 +1,88 @@
+PASSWORD=changeit
+KEYSTORE=keystore.jks
+HOSTNAME=localhost
+CLIENTNAME=cid
+
+# CN = Common Name
+# OU = Organization Unit
+# O  = Organization Name
+# L  = Locality Name
+# ST = State Name
+# C  = Country (2-letter Country Code)
+# E  = Email
+DNAME_CA='CN=Baeldung CA,OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
+# For server certificates, the Common Name (CN) must be the hostname
+DNAME_HOST='CN=$(HOSTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
+DNAME_CLIENT='CN=$(CLIENTNAME),OU=baeldung.com,O=Baeldung,L=SomeCity,ST=SomeState,C=CC'
+TRUSTSTORE=truststore.jks
+
+all:	clean create-keystore add-host create-truststore add-client
+
+create-keystore:
+	# Generate a certificate authority (CA)
+	keytool -genkey -alias ca -ext BC=ca:true \
+	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
+	    -validity 3650 -dname $(DNAME_CA) \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+
+add-host:
+	# Generate a host certificate
+	keytool -genkey -alias $(HOSTNAME) \
+	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
+	    -validity 3650 -dname $(DNAME_HOST) \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+	# Generate a host certificate signing request
+	keytool -certreq -alias $(HOSTNAME) -ext BC=ca:true \
+	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
+	    -validity 3650 -file "$(HOSTNAME).csr" \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+	# Generate signed certificate with the certificate authority
+	keytool -gencert -alias ca \
+	    -validity 3650 -sigalg SHA512withRSA \
+	    -infile "$(HOSTNAME).csr" -outfile "$(HOSTNAME).crt" -rfc \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+	# Import signed certificate into the keystore
+	keytool -import -trustcacerts -alias $(HOSTNAME) \
+	    -file "$(HOSTNAME).crt" \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+
+export-authority:
+	# Export certificate authority
+	keytool -export -alias ca -file ca.crt -rfc \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+
+
+create-truststore: export-authority
+	# Import certificate authority into a new truststore
+	keytool -import -trustcacerts -noprompt -alias ca -file ca.crt \
+	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
+
+add-client:
+	# Generate client certificate
+	keytool -genkey -alias $(CLIENTNAME) \
+	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA -keypass $(PASSWORD) \
+	    -validity 3650 -dname $(DNAME_CLIENT) \
+	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
+	# Generate a host certificate signing request
+	keytool -certreq -alias $(CLIENTNAME) -ext BC=ca:true \
+	    -keyalg RSA -keysize 4096 -sigalg SHA512withRSA \
+	    -validity 3650 -file "$(CLIENTNAME).csr" \
+	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
+	# Generate signed certificate with the certificate authority
+	keytool -gencert -alias ca \
+	    -validity 3650 -sigalg SHA512withRSA \
+	    -infile "$(CLIENTNAME).csr" -outfile "$(CLIENTNAME).crt" -rfc \
+	    -keystore $(KEYSTORE) -storepass $(PASSWORD)
+	# Import signed certificate into the truststore
+	keytool -import -trustcacerts -alias $(CLIENTNAME) \
+	    -file "$(CLIENTNAME).crt" \
+	    -keystore $(TRUSTSTORE) -storepass $(PASSWORD)
+	# Export private certificate for importing into a browser
+	keytool -importkeystore -srcalias $(CLIENTNAME) \
+	    -srckeystore $(TRUSTSTORE) -srcstorepass $(PASSWORD) \
+	    -destkeystore "$(CLIENTNAME).p12" -deststorepass $(PASSWORD) \
+	    -deststoretype PKCS12
+
+clean:
+	# Remove generated artifacts
+	find . ! -name Makefile -type f -exec rm -f {} \;

spring-security-x509/pom.xml

@@ -0,0 +1,49 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns="http://maven.apache.org/POM/4.0.0"
+    xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+
+    <groupId>com.baeldung</groupId>
+    <artifactId>spring-security-x509</artifactId>
+    <version>0.0.1-SNAPSHOT</version>
+    <packaging>pom</packaging>
+
+    <modules>
+        <module>basic-secured-server</module>
+        <module>client-auth-server</module>
+    </modules>
+
+    <parent>
+        <groupId>org.springframework.boot</groupId>
+        <artifactId>spring-boot-starter-parent</artifactId>
+        <version>1.4.0.RELEASE</version>
+        <relativePath/> <!-- lookup parent from repository -->
+    </parent>
+
+    <properties>
+        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
+        <project.reporting.outputEncoding>UTF-8</project.reporting.outputEncoding>
+        <java.version>1.8</java.version>
+    </properties>
+
+    <dependencies>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-security</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-web</artifactId>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-thymeleaf</artifactId>
+        </dependency>
+
+        <dependency>
+            <groupId>org.springframework.boot</groupId>
+            <artifactId>spring-boot-starter-test</artifactId>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>