1

I'm using Spring Security for X.509 preauthentication.

To make sure the client sends its certificate per HTTP request, is it necessary to:

  • Modify pom.xml to set <wantClientAuth> and <needClientAuth> to true
  • Set Apache's SSLVerifyClient to require reference

Based on reading, the web server must tell the client-side to sends its certificate in order for the client to actually send it. I'm confused if Spring Security AND Apache configuration is required to achieve this.

Kevin Meredith
  • 41,036
  • 63
  • 209
  • 384
  • I read this post on editing `ActivClient's` (smart card software) config to include the client cert in HTTP session (http://stackoverflow.com/questions/13808630/request-getattributejavax-servlet-request-x509certificate-returns-null), however I do see the client cert in the session **sometimes**. – Kevin Meredith May 13 '13 at 03:24

1 Answers1

4

Spring Security configuration has nothing to do with whether the client sends a certificate or not. That's decided at the SSL protocol level and hence by the negotiation between the client and the server. Your question is a bit unclear in that it refers to a maven pom and an Apache configuration without explaining how your system is set up. Are you running the maven Jetty plugin with an Apache server in front?

Spring Security's X.509 authentication won't work if the SSL connection doesn't terminate at the servlet container. So if you have HTTPS between the client and Apache, and a non-SSL connection from Apache to the servlet container, then the client certificate won't normally be available.

If you are using an AJP connector, then you can configure Apache to pass the certificate on to the back end using the ExportCertData option. If you aren't, you can still take the exported certificate and pass it as a request header (you'll find examples of this elsewhere on SO). You would also need to customize the Spring Security X.509 code to extract the certificate from the header, rather than the standard java property name which it uses by default.

Shaun the Sheep
  • 22,353
  • 1
  • 72
  • 100
  • When logging `session.getAttributeNames()`, should `SSL_CLIENT_CERT` show up? After reviewing my logs, I only see the `javax.servlet.request.X509Certificate` attribute, but not `SSL_CLIENT_CERT`. Perhaps it needs to be retrieved specifically? – Kevin Meredith May 14 '13 at 01:51
  • 2
    SSL_CLIENT_CERT only applies within Apache. If `javax.servlet.request.X509Certificate` is set then there shouldn't be any problem. As I said, you should clarify in your question what your setup is, and also what the problem is. Otherwise it's hard to give an answer. – Shaun the Sheep May 14 '13 at 19:41
  • a possible "elsewhere" may be here https://stackoverflow.com/questions/45456202/spring-boot-in-azure-client-certificate-in-request-header – hello_earth Oct 15 '19 at 14:57