I'm creating some restful web services and am using Spring Boot to create an embedded Tomcat container.
One of the requirements is that this implements 2 way SSL. I've been looking at the HttpSecurity
object and can get it to only run the webservices over an SSL channel using this:-
@Override
protected void configure(HttpSecurity http) throws Exception {
System.out.println("CONFIGURED");
http
// ...
.requiresChannel()
.anyRequest().requiresSecure();
}
What I can't seem to find is a way of making the webservice only accessible to applications providing a valid client cert.
I have only a basic knowledge of SSL so even a general pointer in the right direction would be appreciated.
The server this is being deployed onto will have a mix of applications - this is the only one that needs to be locked down with 2-way SSL. What I'm really looking for is a way of locking down a single application to only accept client certificates.
You could configure clientAuth=want
, see Apache Tomcat 8 Configuration Reference:
Set to
true
if you want the SSL stack to require a valid certificate chain from the client before accepting a connection. Set towant
if you want the SSL stack to request a client Certificate, but not fail if one isn't presented. Afalse
value (which is the default) will not require a certificate chain unless the client requests a resource protected by a security constraint that usesCLIENT-CERT
authentication.
and then read the client certificate with Spring Security - X.509 Authentication:
You can also use SSL with "mutual authentication"; the server will then request a valid certificate from the client as part of the SSL handshake. The server will authenticate the client by checking that its certificate is signed by an acceptable authority. If a valid certificate has been provided, it can be obtained through the servlet API in an application. Spring Security X.509 module extracts the certificate using a filter. It maps the certificate to an application user and loads that user’s set of granted authorities for use with the standard Spring Security infrastructure.
and
clientAuth
can also be set towant
if you still want SSL connections to succeed even if the client doesn’t provide a certificate. Clients which don’t present a certificate won’t be able to access any objects secured by Spring Security unless you use a non-X.509 authentication mechanism, such as form authentication.