This version is still in development and is not considered stable yet. For the latest stable version, please use Spring Security 6.5.1!

Reactive X.509 Authentication

Similar to Servlet X.509 authentication, the reactive x509 authentication filter allows extracting an authentication token from a certificate provided by a client.

The following example shows a reactive x509 security configuration:

  • Java

  • Kotlin

@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
	http
		.x509(Customizer.withDefaults())
		.authorizeExchange(exchanges -> exchanges
			.anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    return http {
        x509 { }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

In the preceding configuration, when neither principalExtractor nor authenticationManager is provided, defaults are used. The default principal extractor is SubjectX500PrincipalExtractor, which extracts the CN (common name) field from a certificate provided by a client. The default authentication manager is ReactivePreAuthenticatedAuthenticationManager, which performs user account validation, checking that a user account with a name extracted by principalExtractor exists and that it is not locked, disabled, or expired.

The following example demonstrates how these defaults can be overridden:

  • Java

  • Kotlin

@Bean
SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
	SubjectX500PrincipalExtractor principalExtractor = new SubjectX500PrincipalExtractor();
	principalExtractor.setExtractPrincipalNameFromEmail(true);

	UserDetails user = User
		.withUsername("luke@monkeymachine")
		.password("password")
		.roles("USER")
		.build();

	ReactiveUserDetailsService users = new MapReactiveUserDetailsService(user);
	ReactiveAuthenticationManager authenticationManager = new ReactivePreAuthenticatedAuthenticationManager(users);

	http
		.x509(x509 -> x509
			.principalExtractor(principalExtractor)
			.authenticationManager(authenticationManager)
		)
		.authorizeExchange(exchanges -> exchanges
			.anyExchange().authenticated()
		);
	return http.build();
}
@Bean
fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
    val extractor = SubjectX500PrincipalExtractor()
    extractor.setExtractPrincipalNameFromEmail(true)

    val user = User
        .withUsername("luke@monkeymachine")
        .password("password")
        .roles("USER")
        .build()

    val users: ReactiveUserDetailsService = MapReactiveUserDetailsService(user)
    val authentication: ReactiveAuthenticationManager = ReactivePreAuthenticatedAuthenticationManager(users)

    return http {
        x509 {
            principalExtractor = extractor
            authenticationManager = authentication
        }
        authorizeExchange {
            authorize(anyExchange, authenticated)
        }
    }
}

In the previous example, a username is extracted from the emailAddress field of a client certificate instead of CN, and account lookup uses a custom ReactiveAuthenticationManager instance.

For an example of configuring Netty and WebClient or curl command-line tool to use mutual TLS and enable X.509 authentication, see github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.