Implementing PKI authentication in Spring Security

Question

I'm trying to figure out where and how I can implement PKI authentication in an existing Spring Security implementation.

I changed my configuration of my server.xml in tomcat to have two Connectors to handle "normal" username and password authentication and then the "PKI" authentication. The difference is the PKI connector has clientAuth enabled and points to the issued truststore on the machine.

This allows the user to choose which way they would like to authenticate, they can click normal username/password authentication to go to one connector, or they can click PKI authentication to use the other. My configuration of tomcat correctly prompts the user to use their cert and enter their pin at which I receive a HttpServletRequest with the X509Certificate cert chain.

So now that I have this set up, how do I configure Spring Security to allow either form of authentication? I am trying to figure out how to use the EDI of the cert as a replacement of the username/password, and still do security checks like checking the expiration date, seeing if the card is revoked, etc.

Any ideas or links are greatly appreciated, Thanks!

Answer 1

If I understand right, you already have different tomcat connectors on different ports and login page, that allows user to choose connector. And now you want to setup X.509 auth on one of the connectors.

Drop-in X.509 config from spring docs works - it extracts CN from certificate and uses it as user name.

But if you want fine tuning or more control over auth you must use plain bean config to setup springSecurityFilterChain. You may find working example of such config here.