X.509 Authentication
X.509 证书身份验证最常见的使用是在使用 SSL 时验证服务器的身份, 最常见的是在从浏览器使用 HTTPS 时。浏览器会自动检查服务器出示的证书是否已由它维护的可信证书颁发机构列表中的其中一个颁发(以数字方式进行签名)。
The most common use of X.509 certificate authentication is in verifying the identity of a server when using SSL, most commonly when using HTTPS from a browser. The browser automatically checks that the certificate presented by a server has been issued (digitally signed) by one of a list of trusted certificate authorities that it maintains.
您还可以在 “mutual authentication” 中使用 SSL。然后, 服务器在 SSL 握手期间向客户端请求有效证书。服务器通过检查证书是否由可接受的颁发机构进行签名来验证客户端。如果已提供有效证书, 那么可以通过应用程序中的 servlet API 来获取该证书。Spring Security X.509 模块使用过滤器来提取证书。它将证书映射到应用程序用户并加载该用户的授予权限集以供标准 Spring Security 基础设施使用。
You can also use SSL with “mutual authentication”. The server then requests a valid certificate from the client as part of the SSL handshake. The server authenticates the client by checking that its certificate is signed by an acceptable authority. If a valid certificate has been provided, it can be obtained through the servlet API in an application. The Spring Security X.509 module extracts the certificate by using a filter. It maps the certificate to an application user and loads that user’s set of granted authorities for use with the standard Spring Security infrastructure.
您还可以在 “mutual authentication” 中使用 SSL。然后服务器在 SSL 握手期间从客户端请求一个有效的证书。服务器通过检查其证书是由可接受的颁发机构签名的来对客户端进行身份验证。例如,如果您使用 Tomcat,则应阅读 Tomcat SSL instructions。您应让其正常工作,然后再尝试在 Spring Security 中使用它。
You can also use SSL with “mutual authentication”. The server then requests a valid certificate from the client as part of the SSL handshake. The server authenticates the client by checking that its certificate is signed by an acceptable authority. For example, if you use Tomcat, you should read the Tomcat SSL instructions. You should get this working before trying it out with Spring Security.
Adding X.509 Authentication to Your Web Application
启用 X.509 客户端身份验证非常简单。为此, 将 <x509/> 元素添加到您的 http 安全命名空间配置:
Enabling X.509 client authentication is very straightforward.
To do so, add the <x509/> element to your http security namespace configuration:
<http>
...
<x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>;
</http>此元素有两个可选属性:
The element has two optional attributes:
-
subject-principal-regex. The regular expression used to extract a username from the certificate’s subject name. The default value is shown in the preceding listing. This is the username that is passed to theUserDetailsServiceto load the authorities for the user. -
user-service-ref. This is the bean ID of theUserDetailsServiceto be used with X.509. It is not needed if there is only one defined in your application context.
subject-principal-regex 应包含一个组。例如,默认表达式(CN=(.?)) matches the common name field.
So, if the subject name in the certificate is "CN=Jimi Hendrix, OU=…", this gives a user name of "Jimi Hendrix".
The matches are case insensitive.
So "emailAddress=(.?)," matches "EMAILADDRESS= jimi@hendrix.org,CN=…", giving a user name " jimi@hendrix.org".
If the client presents a certificate and a valid username is successfully extracted, there should be a valid Authentication 安全上下文中的对象。如果找不到证书或找不到相应用户,则安全上下文将保持为空。这意味着您可以将 X.509 身份验证与基于表单的登录等其他选项结合使用。
The subject-principal-regex should contain a single group.
For example, the default expression (CN=(.?)) matches the common name field.
So, if the subject name in the certificate is "CN=Jimi Hendrix, OU=…", this gives a user name of "Jimi Hendrix".
The matches are case insensitive.
So "emailAddress=(.?)," matches "EMAILADDRESS=jimi@hendrix.org,CN=…", giving a user name "jimi@hendrix.org".
If the client presents a certificate and a valid username is successfully extracted, there should be a valid Authentication object in the security context.
If no certificate is found or no corresponding user could be found, the security context remains empty.
This means that you can use X.509 authentication with other options, such as a form-based login.
Setting up SSL in Tomcat
Spring Security 样本仓库 中有一些预生成的证书。如果您不想生成自己的证书,可以使用这些证书启用 SSL 以进行测试。server.jks 文件包含服务器证书、私钥和颁发机构证书。还有一些来自样本应用程序的用户客户端证书文件。您可以在浏览器中安装这些文件,以启用 SSL 客户端认证。
There are some pre-generated certificates in the Spring Security Samples repository.
You can use these to enable SSL for testing if you do not want to generate your own.
The server.jks file contains the server certificate, the private key, and the issuing authority certificate.
There are also some client certificate files for the users from the sample applications.
You can install these in your browser to enable SSL client authentication.
要使用 SSL 支持运行 tomcat,请将 server.jks 文件放入 tomcat conf 目录中,并将以下连接器添加到 server.xml 文件中:
To run tomcat with SSL support, drop the server.jks file into the tomcat conf directory and add the following connector to the server.xml file:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="${catalina.home}/conf/server.jks"
keystoreType="JKS" keystorePass="password"
truststoreFile="${catalina.home}/conf/server.jks"
truststoreType="JKS" truststorePass="password"
/>如果仍希望即使客户端未提供证书 SSL 连接也能成功,也可以将 clientAuth 设置为 want。除非使用表单身份验证等非 X.509 的身份验证机制,否则未呈现出证书的客户端无法访问 Spring Security 保护的任何对象。
clientAuth can also be set to want if you still want SSL connections to succeed even if the client does not provide a certificate.
Clients that do not present a certificate cannot access any objects secured by Spring Security unless you use a non-X.509 authentication mechanism, such as form authentication.