Add Support SubjectX500PrincipalExtractor
Closes gh-16980 Signed-off-by: Max Batischev <mblancer@mail.ru>
This commit is contained in:
Max Batischev
+5
-1
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2020 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -16,6 +16,7 @@
|
||||
|
||||
package org.springframework.security.web.authentication.preauth.x509;
|
||||
|
||||
import java.security.Principal;
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
@@ -43,7 +44,9 @@ import org.springframework.util.Assert;
|
||||
* "EMAILADDRESS=jimi@hendrix.org, CN=..." giving a user name "jimi@hendrix.org"
|
||||
*
|
||||
* @author Luke Taylor
|
||||
* @deprecated Please use {@link SubjectX500PrincipalExtractor} instead
|
||||
*/
|
||||
@Deprecated
|
||||
public class SubjectDnX509PrincipalExtractor implements X509PrincipalExtractor, MessageSourceAware {
|
||||
|
||||
protected final Log logger = LogFactory.getLog(getClass());
|
||||
@@ -59,6 +62,7 @@ public class SubjectDnX509PrincipalExtractor implements X509PrincipalExtractor,
|
||||
@Override
|
||||
public Object extractPrincipal(X509Certificate clientCert) {
|
||||
// String subjectDN = clientCert.getSubjectX500Principal().getName();
|
||||
Principal principal = clientCert.getSubjectDN();
|
||||
String subjectDN = clientCert.getSubjectDN().getName();
|
||||
this.logger.debug(LogMessage.format("Subject DN is '%s'", subjectDN));
|
||||
Matcher matcher = this.subjectDnPattern.matcher(subjectDN);
|
||||
|
||||
+88
@@ -0,0 +1,88 @@
|
||||
/*
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.authentication.preauth.x509;
|
||||
|
||||
import java.security.cert.X509Certificate;
|
||||
import java.util.regex.Matcher;
|
||||
import java.util.regex.Pattern;
|
||||
|
||||
import javax.security.auth.x500.X500Principal;
|
||||
|
||||
import org.apache.commons.logging.Log;
|
||||
import org.apache.commons.logging.LogFactory;
|
||||
|
||||
import org.springframework.context.MessageSource;
|
||||
import org.springframework.context.MessageSourceAware;
|
||||
import org.springframework.context.support.MessageSourceAccessor;
|
||||
import org.springframework.core.log.LogMessage;
|
||||
import org.springframework.security.authentication.BadCredentialsException;
|
||||
import org.springframework.security.core.SpringSecurityMessageSource;
|
||||
import org.springframework.util.Assert;
|
||||
|
||||
/**
|
||||
* Obtains the principal from a certificate using RFC2253 and RFC1779 formats. By default,
|
||||
* RFC2253 is used: DN is extracted from CN. If extractPrincipalNameFromEmail is true then
|
||||
* format RFC1779 will be used: DN is extracted from EMAIlADDRESS.
|
||||
*
|
||||
* @author Max Batischev
|
||||
* @since 7.0
|
||||
*/
|
||||
public final class SubjectX500PrincipalExtractor implements X509PrincipalExtractor, MessageSourceAware {
|
||||
|
||||
private final Log logger = LogFactory.getLog(getClass());
|
||||
|
||||
private MessageSourceAccessor messages = SpringSecurityMessageSource.getAccessor();
|
||||
|
||||
private boolean extractPrincipalNameFromEmail = false;
|
||||
|
||||
private final Pattern cnSubjectDnPattern = Pattern.compile("CN=(.*?)(?:,|$)", Pattern.CASE_INSENSITIVE);
|
||||
|
||||
private final Pattern emailSubjectDnPattern = Pattern.compile("OID.1.2.840.113549.1.9.1=(.*?)(?:,|$)",
|
||||
Pattern.CASE_INSENSITIVE);
|
||||
|
||||
@Override
|
||||
public Object extractPrincipal(X509Certificate clientCert) {
|
||||
Assert.notNull(clientCert, "clientCert cannot be null");
|
||||
X500Principal principal = clientCert.getSubjectX500Principal();
|
||||
String subjectDN = this.extractPrincipalNameFromEmail ? principal.getName("RFC1779") : principal.getName();
|
||||
this.logger.debug(LogMessage.format("Subject DN is '%s'", subjectDN));
|
||||
Matcher matcher = this.extractPrincipalNameFromEmail ? this.emailSubjectDnPattern.matcher(subjectDN)
|
||||
: this.cnSubjectDnPattern.matcher(subjectDN);
|
||||
if (!matcher.find()) {
|
||||
throw new BadCredentialsException(this.messages.getMessage("SubjectX500PrincipalExtractor.noMatching",
|
||||
new Object[] { subjectDN }, "No matching pattern was found in subject DN: {0}"));
|
||||
}
|
||||
String principalName = matcher.group(1);
|
||||
this.logger.debug(LogMessage.format("Extracted Principal name is '%s'", principalName));
|
||||
return principalName;
|
||||
}
|
||||
|
||||
@Override
|
||||
public void setMessageSource(MessageSource messageSource) {
|
||||
Assert.notNull(messageSource, "messageSource cannot be null");
|
||||
this.messages = new MessageSourceAccessor(messageSource);
|
||||
}
|
||||
|
||||
/**
|
||||
* If true then DN will be extracted from EMAIlADDRESS, defaults to {@code false}
|
||||
* @param extractPrincipalNameFromEmail whether to extract DN from EMAIlADDRESS
|
||||
*/
|
||||
public void setExtractPrincipalNameFromEmail(boolean extractPrincipalNameFromEmail) {
|
||||
this.extractPrincipalNameFromEmail = extractPrincipalNameFromEmail;
|
||||
}
|
||||
|
||||
}
|
||||
+2
-2
@@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2002-2016 the original author or authors.
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@@ -28,7 +28,7 @@ import org.springframework.security.web.authentication.preauth.AbstractPreAuthen
|
||||
*/
|
||||
public class X509AuthenticationFilter extends AbstractPreAuthenticatedProcessingFilter {
|
||||
|
||||
private X509PrincipalExtractor principalExtractor = new SubjectDnX509PrincipalExtractor();
|
||||
private X509PrincipalExtractor principalExtractor = new SubjectX500PrincipalExtractor();
|
||||
|
||||
@Override
|
||||
protected Object getPreAuthenticatedPrincipal(HttpServletRequest request) {
|
||||
|
||||
+66
@@ -0,0 +1,66 @@
|
||||
/*
|
||||
* Copyright 2002-2025 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
* You may obtain a copy of the License at
|
||||
*
|
||||
* https://www.apache.org/licenses/LICENSE-2.0
|
||||
*
|
||||
* Unless required by applicable law or agreed to in writing, software
|
||||
* distributed under the License is distributed on an "AS IS" BASIS,
|
||||
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||
* See the License for the specific language governing permissions and
|
||||
* limitations under the License.
|
||||
*/
|
||||
|
||||
package org.springframework.security.web.authentication.preauth.x509;
|
||||
|
||||
import org.junit.jupiter.api.Test;
|
||||
|
||||
import static org.assertj.core.api.Assertions.assertThat;
|
||||
import static org.assertj.core.api.Assertions.assertThatIllegalArgumentException;
|
||||
|
||||
/**
|
||||
* Tests for {@link SubjectX500PrincipalExtractor}.
|
||||
*
|
||||
* @author Max Batischev
|
||||
*/
|
||||
public class SubjectX500PrincipalExtractorTests {
|
||||
|
||||
private final SubjectX500PrincipalExtractor extractor = new SubjectX500PrincipalExtractor();
|
||||
|
||||
@Test
|
||||
void extractWhenCnPatternSetThenExtractsPrincipalName() throws Exception {
|
||||
Object principal = this.extractor.extractPrincipal(X509TestUtils.buildTestCertificate());
|
||||
|
||||
assertThat(principal).isEqualTo("Luke Taylor");
|
||||
}
|
||||
|
||||
@Test
|
||||
void extractWhenEmailPatternSetThenExtractsPrincipalName() throws Exception {
|
||||
this.extractor.setExtractPrincipalNameFromEmail(true);
|
||||
|
||||
Object principal = this.extractor.extractPrincipal(X509TestUtils.buildTestCertificate());
|
||||
|
||||
assertThat(principal).isEqualTo("luke@monkeymachine");
|
||||
}
|
||||
|
||||
@Test
|
||||
void extractWhenCnAtEndThenExtractsPrincipalName() throws Exception {
|
||||
Object principal = this.extractor.extractPrincipal(X509TestUtils.buildTestCertificateWithCnAtEnd());
|
||||
|
||||
assertThat(principal).isEqualTo("Duke");
|
||||
}
|
||||
|
||||
@Test
|
||||
void setMessageSourceWhenNullThenThrowsException() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.extractor.setMessageSource(null));
|
||||
}
|
||||
|
||||
@Test
|
||||
void extractWhenCertificateIsNullThenFails() {
|
||||
assertThatIllegalArgumentException().isThrownBy(() -> this.extractor.extractPrincipal(null));
|
||||
}
|
||||
|
||||
}
|
||||
Reference in New Issue
Block a user