Scenario: The application sits behind an NGINX that terminates the TLS connection and does the mutual authentication with the client. The NGINX then forwards the client certificate in an X-SSL-CERT header to the spring-based application. In the application I want to access the information provided inside the certificate and also based on this create an Authentication.
Current Approach: To get it up and running, I implemented a custom Filter that extracts the header, parses the string into an X509 certificate, extracts the required information into a custom Authentication and then uses the SecurityContextHolder to add the Authentication into the SecurityContext. This works and I can access the Authentication inside my controller methods with @AuthenticationPrinciple annotation.
However, while reading the documentation I felt that this approach might not be secure and also not as it is intended by spring since there is already an X509AuthenticationFilter to use in pre-authentication scenarios.
I then came up with the idea to just place the parsed X509Certificate inside the ServletRequest attribute and use the provided X509AuthenticationFilter. I quickly ran into issues, since I do not provide an UserDetailsService.
Questions:
- Is the first approach I described considered to be valid/secure?
- How can I use the
X509AuthenticationFilterfor pre-authentication use cases- and without providing a
UserDetailsServicesince I don't require anything to get those information
- and without providing a
- Is it secure to directly use the
SecurityContextHolderto add my customAuthenticationfrom inside the filter
