I use Spring Security to authenticate using an x.509 certificate , and only works when a client certificate that is configured in the browser keystore is present in the server trust store.
How it works now:
- I configured SSL client authentication as optional (server.ssl.client-auth = want, as in this post )
- I set up a trust server containing all client certificates. If the certificate provided by the client is in the trust store, a mutual SSL connection is created.
- When I have a client certificate (s) present in the server-side trust store, Firefox opens a pop-up window with my client-side certificates that I can select, and an SSL mutual connection is established.
- I configured Spring Security to extract the username from the SubjectDN of the client certificate and check it for UserDetailsService . If a UserDetails object is returned for this username, the authentication process succeeds.
The problem is that if I delete the client certificate from the server storage on the server side, Firefox will no longer open this pop-up window and only a one-way SSL connection will be made. Even if the root CA certificate is present in the server trust store.
What I want:
. Baeldung , X.509 auth ( ).
, , , . , .
@robinhowlett ,
, CA .
, , .
: - Root CA , , X.509 SSL Spring ?
Spring Boot 1.5.2.RELEASE(spring -security-web 4.2.2.RELEASE). SSL- Firefox 53.