CODEWITHSUNDEEP
sslspring-bootkeystorerestful-authentication
cwittah
cwittah

Reputation: 371

Spring-Boot client authentication configuration.

First off, I'm new to Spring-Boot and SSL in general, but I've spent several days researching and am basically trying to get a simple Spring-Boot application configured with Client Authentication.

I've set up a connector like so:

private Connector createSslConnector() {
    Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
    Http11NioProtocol protocol = (Http11NioProtocol) connector.getProtocolHandler();
    try {
        File keystore = getKeyStoreFile();
        File truststore = keystore;
        connector.setScheme("https");
        connector.setSecure(true);
        connector.setPort(sslPort);
        protocol.setSSLEnabled(true);
        protocol.setKeystoreFile(keystore.getAbsolutePath());
        protocol.setKeystorePass("changeit");
        protocol.setTruststoreFile(truststore.getAbsolutePath());
        protocol.setTruststorePass("changeit");
        protocol.setKeyAlias("apitester");
        protocol.setClientAuth("need");
        return connector;
    }
    catch (IOException ex) {
        throw new IllegalStateException("cant access keystore: [" + "keystore"
                + "] or truststore: [" + "keystore" + "]", ex);
    }
}

And a controller that looks like so:

@RequestMapping("/test/{identifier}")
@ResponseBody
ResponseEntity<String> test(HttpServletRequest request, @PathVariable String identifier) {
    return new ResponseEntity<String>("hello: " + identifier, HttpStatus.OK)
}

However, once I launch my application I can use a browser to navigate to localhost:sslport/hello/test/xxxx and get a response without any type of client certificate loaded. I was expecting to be prompted for a client certificate.

Upvotes: 2

Views: 2689

Answers (2)

Pytry
Pytry

Reputation: 6419

Spring Boot supplies a "server agnostic" application property to enforce SSL client authentication on supported embedded servers.

server.ssl.client-auth=NEED

Accepted values: NEED, WANT, NONE

Upvotes: 0

mahesh kamath
mahesh kamath

Reputation: 345

Spring boot uses tomcat (embedded) web container by default.

As it is called out tomcat doc, we have to set it to true to enforce the propagation of valid certificate chain from the client before accepting a connection. Setting want will allow the client to provide a certificate but not absolutely required.

I doubt if "need" makes any meaning for the container.

 protocol.setClientAuth("need");

Upvotes: 0

Related Questions