Spring Security With X.509 Certificate

Question

I am slowly going insane trying to configure Spring Security 3.0.0 to secure an application.

I have configured the server (jetty) to require client authentication (u

Answer 1

The application has a "front page" with a Login button, so access to that should not require any sort of authentication.

Something wrong is here. If you setup your servlet container to require client authentication, you cannot have such open-for-all page, in that case auth handshake won't success for users without smartcard and they won't even see container error page - It will be browser error instead.

It can be done making container to allow client auth and making login page open to anonymous users and secure other pages by SpringSec. But I won't recommend this for smartcard-PKI app. Smartcard auth implies security importance and it's more reliable to have non-smartcard users to thrown out early on container handshake. In that case you still can have user-friendly Login page on another port with a "Login" button linked to your app.

If you need help with SpringSecurity setup, please add more info about problems to your post.

Answer 2

From a configuration perspective, that looks fine. What is the error you're seeing? Are you seeing your UserDetailsService get invoked with the CN from X.509 cert?