Spring Security With X.509 Certificate | ansaurus

tags:

views:

345

answers:

1

Q:

Spring Security With X.509 Certificate

I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application.

I have configured the server (jetty) to require client authentication (using a smart card). However, I cannot seem to get the applicationContext-security.xml and UserDetailsService implementation right.

First, from the application context file:

<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
  xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
   xmlns:context="http://www.springframework.org/schema/context"
   xmlns:security="http://www.springframework.org/schema/security"
   xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans-3.0.xsd
            http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context-3.0.xsd
            http://www.springframework.org/schema/security http://www.springframework.org/schema/security/spring-security-3.0.xsd"&gt;


<security:global-method-security secured-annotations="enabled" />

<security:http auto-config="true">
    <security:intercept-url pattern="/**" access="IS_AUTHENTICATED_ANONYMOUSLY" requires-channel="https"/>
    <security:x509 subject-principal-regex="CN=(.*?)," user-service-ref="accountService" />
</security:http>

<bean id="accountService" class="com.app.service.AccountServiceImpl"/>

The UserDetailsService looks like this:

public class AccountServiceImpl implements AccountService, UserDetailsService {

private static final Log log = LogFactory.getLog(AccountServiceImpl.class);

private AccountDao accountDao;

@Autowired
public void setAccountDao(AccountDao accountDao) {
    this.accountDao = accountDao;
}

public UserDetails loadUserByUsername(String s) throws UsernameNotFoundException, DataAccessException {

    log.debug("called loadUserByUsername()");
    System.out.println("called loadByUsername()");

    Account result = accountDao.getByEdpi(s);
    return result;

}

}

The application has a "front page" with a Login button, so access to that should not require any sort of authentication.

Any help is appreciated.

A:

From a configuration perspective, that looks fine. What is the error you're seeing? Are you seeing your UserDetailsService get invoked with the CN from X.509 cert?

Peter Mularien 2010-02-12 22:03:09

related questions

Java Time Zone is messed up

Eclipse on win64

Automate builds for Java RCP for deployment with JNLP

Why are professors or schools picking Java over C++ to teach to students?

Is there a real benefit of using J#?

Public/Popular Websites using JavaServer Faces

Why can't I use a try block around my super() call?

Accessing post variables using Java Servlets

Personal Linux web server

Is this really widening vs autoboxing?

How can I Java webstart multiple, dependent, native libraries?

Why can't I call toString() on a Java primitive?

How do I use Java to read from a file that is actively being written?

What code analysis tools do you use for your Java projects?

IllegalArgumentException or NullPointerException for a null parameter?

How do I configure and communicate with a serial port?

What is the best way to parse strings in Java

Getting started with a custom JXTA PeerGroup

Creating a custom button in Java

How to get started "writing" a code coverage tool?

Which Build-/Configuration Management Tool?

What is the difference between an int and an Integer in Java/C#?

What is the meaning of the type safety warning in certain Java generics casts?

How would you access Object properties from within an object method?

Converting CSV File to XML in Java