I am somewhat new to Spring and a novice in SSL authentication.
My question is that I have a web application which works fine with form-based authentication. I need part of my application to be automatically authenticated using SSL client authentication.
What I have done so far.
- SSL enable tomcat (I can access https://mydomain.com:9443)
- Import client certificate to server truststore
Change server-xml and make clientAuth="want" in my server.xml
Connector port="9443" protocol="HTTP/1.1" SSLEnabled="true" maxThreads="150" scheme="https" secure="true" clientAuth="want" sslProtocol="TLS" keystoreFile="c:\serverkeystore" keystorePass="ChangeIt" />
Added x509 subject-principal-regex="CN=(.*?)," user-service-ref="customUserDetailService" under http in my security-context.xml
< http auto-config="true" use-expressions="true" > < x509 subject-principal-regex="CN=(.?)," user-service-ref="myUserDetailService" /> < intercept-url pattern="/upload" requires-channel="https" /> < intercept-url pattern="/*" access="hasRole('ROLE_USER')" /> < form-login login-page="/login.jsp" default-target-url="/index.jsp"
authentication-failure-url="/login.jsp?error=1" /> < logout logout-url="/j_spring_security_logout" logout-success-url="/loggedout.jsp" delete-cookies="JSESSIONID"/>- add < intercept-url pattern="/upload" requires-channel="https" /> to secure url
- myUserDetailService is implementing UserDetailsService and returns UserDetails object (same class I use for form-based authentication, based on databased stored username, password, ROLES).
My problem is what ever URL path (even with /upload) it always show me the login.jsp page.
I am using Spring and Spring security 3.1.3 with tomcat 6.0.35
Any help would be highly appreciated.
