Summary
With form login, you can re-authenticate a user via username/password at any time with Spring Security. With x509 authentication, this doesn't work and Spring always returns the last cert seen, even if you clear the context.
Actual Behavior
With http.x509() enabled, Spring Security acquires a cert but won't allow the user re-authenticate with another cert unless the SSL state is cleared on the browser or if the browser is closed and re-opened (unless you're on IE and request a new session).
Expected Behavior
With x509 enabled, I expect to have a way to re-authenticate the user by displaying a cert dialog again. With form login, you would just ask for their credentials and pass that in to the authentication manager. With cert based, it's a PreAuthenticatedAuthorizationToken so there's nothing new for us to authenticate with.
Configuration
@Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.mvcMatchers("/home").hasAnyAuthority("ADMIN")
.mvcMatchers("/**").permitAll()
.and()
.x509()
.subjectPrincipalRegex("CN=(.*?),")
.userDetailsService(userDetailsService());
}
@Bean
public UserDetailsService userDetailsService()
{
return new UserDetailsService() {
@Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
return new User(username, "", Arrays.asList(new SimpleGrantedAuthority("ADMIN")));
}
};
}Version
2.0.4.Release. This issue is also observed on 1.5.12.Release.
Sample
See full example @ https://github.com/subatron/spring-security-x509-complete
Summary
With form login, you can re-authenticate a user via username/password at any time with Spring Security. With x509 authentication, this doesn't work and Spring always returns the last cert seen, even if you clear the context.
Actual Behavior
With http.x509() enabled, Spring Security acquires a cert but won't allow the user re-authenticate with another cert unless the SSL state is cleared on the browser or if the browser is closed and re-opened (unless you're on IE and request a new session).
Expected Behavior
With x509 enabled, I expect to have a way to re-authenticate the user by displaying a cert dialog again. With form login, you would just ask for their credentials and pass that in to the authentication manager. With cert based, it's a PreAuthenticatedAuthorizationToken so there's nothing new for us to authenticate with.
Configuration
Version
2.0.4.Release. This issue is also observed on 1.5.12.Release.
Sample
See full example @ https://github.com/subatron/spring-security-x509-complete