Package org.springframework.security.config.annotation.web.configurers

Class X509Configurer<H extends HttpSecurityBuilder<H>>

java.lang.Object

org.springframework.security.config.annotation.SecurityConfigurerAdapter<DefaultSecurityFilterChain,B>

org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer<X509Configurer<H>,H>

org.springframework.security.config.annotation.web.configurers.X509Configurer<H>

All Implemented Interfaces:

SecurityConfigurer<DefaultSecurityFilterChain,H>

public final class X509Configurer<H extends HttpSecurityBuilder<H>>
extends AbstractHttpConfigurer<X509Configurer<H>,H>

Adds X509 based pre authentication to an application. Since validating the certificate happens when the client connects, the requesting and validation of the client certificate should be performed by the container. Spring Security will then use the certificate to look up the Authentication for the user.

Security Filters

The following Filters are populated

• X509AuthenticationFilter

Shared Objects Created

The following shared objects are created

• AuthenticationEntryPoint is populated with an Http403ForbiddenEntryPoint
• A PreAuthenticatedAuthenticationProvider is populated into HttpSecurity.authenticationProvider(org.springframework.security.authentication.AuthenticationProvider)

Shared Objects Used

The following shared objects are used:

• A UserDetailsService shared object is used if no AuthenticationUserDetailsService is specified

Since:

3.2

Constructor Summary

Constructors

Constructor	Description
X509Configurer()	Creates a new instance

Method Summary

Modifier and Type	Method	Description
X509Configurer<H>	authenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails> authenticationDetailsSource)	Specifies the AuthenticationDetailsSource
X509Configurer<H>	authenticationUserDetailsService(AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> authenticationUserDetailsService)	Specifies the AuthenticationUserDetailsService to use.
void	configure(H http)	Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.
void	init(H http)	Initialize the SecurityBuilder.
X509Configurer<H>	subjectPrincipalRegex(String subjectPrincipalRegex)	Specifies the regex to extract the principal from the certificate.
X509Configurer<H>	userDetailsService(UserDetailsService userDetailsService)	Shortcut for invoking authenticationUserDetailsService(AuthenticationUserDetailsService) with a UserDetailsByNameServiceWrapper.
X509Configurer<H>	x509AuthenticationFilter(X509AuthenticationFilter x509AuthenticationFilter)	Allows specifying the entire X509AuthenticationFilter.
X509Configurer<H>	x509PrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor)	Specifies the X509PrincipalExtractor

Methods inherited from class org.springframework.security.config.annotation.web.configurers.AbstractHttpConfigurer

disable, getSecurityContextHolderStrategy, withObjectPostProcessor

Methods inherited from class org.springframework.security.config.annotation.SecurityConfigurerAdapter

addObjectPostProcessor, and, getBuilder, postProcess, setBuilder

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Details

X509Configurer

public X509Configurer()

Creates a new instance

See Also:

• HttpSecurity.x509()

Method Details

x509AuthenticationFilter

public X509Configurer<H> x509AuthenticationFilter(X509AuthenticationFilter x509AuthenticationFilter)

Allows specifying the entire X509AuthenticationFilter. If this is specified, the properties on X509Configurer will not be populated on the X509AuthenticationFilter.

Parameters:

x509AuthenticationFilter - the X509AuthenticationFilter to use

Returns:

the X509Configurer for further customizations

x509PrincipalExtractor

public X509Configurer<H> x509PrincipalExtractor(X509PrincipalExtractor x509PrincipalExtractor)

Specifies the X509PrincipalExtractor

Parameters:

x509PrincipalExtractor - the X509PrincipalExtractor to use

Returns:

the X509Configurer to use

authenticationDetailsSource

public X509Configurer<H> authenticationDetailsSource(AuthenticationDetailsSource<jakarta.servlet.http.HttpServletRequest,PreAuthenticatedGrantedAuthoritiesWebAuthenticationDetails> authenticationDetailsSource)

Specifies the AuthenticationDetailsSource

Parameters:

authenticationDetailsSource - the AuthenticationDetailsSource to use

Returns:

the X509Configurer to use

userDetailsService

public X509Configurer<H> userDetailsService(UserDetailsService userDetailsService)

Shortcut for invoking authenticationUserDetailsService(AuthenticationUserDetailsService) with a UserDetailsByNameServiceWrapper.

Parameters:

userDetailsService - the UserDetailsService to use

Returns:

the X509Configurer for further customizations

authenticationUserDetailsService

public X509Configurer<H> authenticationUserDetailsService(AuthenticationUserDetailsService<PreAuthenticatedAuthenticationToken> authenticationUserDetailsService)

Specifies the AuthenticationUserDetailsService to use. If not specified, the shared UserDetailsService will be used to create a UserDetailsByNameServiceWrapper. If a SecurityFilterChain bean is used instead of the WebSecurityConfigurerAdapter, then the UserDetailsService bean will be used by default.

Parameters:

authenticationUserDetailsService - the AuthenticationUserDetailsService to use

Returns:

the X509Configurer for further customizations

subjectPrincipalRegex

public X509Configurer<H> subjectPrincipalRegex(String subjectPrincipalRegex)

Specifies the regex to extract the principal from the certificate. If not specified, the default expression from SubjectDnX509PrincipalExtractor is used.

Parameters:

subjectPrincipalRegex - the regex to extract the user principal from the certificate (i.e. "CN=(.*?)(?:,|$)").

Returns:

the X509Configurer for further customizations

init

public void init(H http)

Description copied from interface: SecurityConfigurer

Initialize the SecurityBuilder. Here only shared state should be created and modified, but not properties on the SecurityBuilder used for building the object. This ensures that the SecurityConfigurer.configure(SecurityBuilder) method uses the correct shared objects when building. Configurers should be applied here.

Specified by:

init in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

init in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

configure

public void configure(H http)

Description copied from interface: SecurityConfigurer

Configure the SecurityBuilder by setting the necessary properties on the SecurityBuilder.

Specified by:

configure in interface SecurityConfigurer<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>

Overrides:

configure in class SecurityConfigurerAdapter<DefaultSecurityFilterChain,H extends HttpSecurityBuilder<H>>