3

I am trying to implement mutual authentication (authentication with x509 client certificates) in Spring Cloud Gateway, but throughout my research, I haven't been able to figure out where to start.

From what I can see, authentication is not handled through Spring Cloud Gateway itself but instead should be done through Spring WebFlux -- please correct me if this is an incorrect assumption. I have found examples of implementing certification authentication through Spring Security, but I have not found any with WebFlux.

Can anyone offer some tips or even some code examples to get me on the right track with this?

Chatoyancy
  • 143
  • 1
  • 17
  • There is support for X509 in Spring-security 5.2.0RC1. I am Struggling to get the X509Certs from the SecurityContext. Please let me know if you find any examples to get the certs. – Surendra Poranki Oct 04 '19 at 14:32

2 Answers2

1

You can configure it in src/main/resources/application.yml, e.g.

server:
  # for testing or development without SSL certs (HTTP) use an "appropriate"
  # non-secure port, e.g. 8080
  # for HTTPS use an "appropriate" secure port, e.g. 8443
  port: 8443
  ssl:
    # for HTTP set enabled to false, for HTTPS (with required client certs) set to true
    enabled: true
    # this is the spring cloud gateway _server_ cert
    key-store: /etc/pki/tls/private/server.p12
    key-store-password: servercertpassword
    key-store-type: PKCS12
    # this is the "bundle" of CA intermediate/root upon which the client cert has to
    # match
    trust-store: /etc/pki/ca-trust/extracted/java/cacerts
    # this `client-auth` option is where you *require* mutual-TLS, it can alternatively
    # be made optional
    client-auth: need
    trust-store-password: truststorepassword
    trust-store-type: JCEKS
management:
  # management port without SSL to allow monitoring/etc. without client certs
  # e.g. /actuator/health
  server:
    port: 8080
    ssl:
      enabled: false

If you have a set of client certs, a server cert, and trust-store / CA bundle, this is an example of how to configure it in Spring Cloud Gateway.

An X509 PreAuthenticatedAuthenticationToken will be available in your application for successful connections made via mutual TLS, containing the principal/details of the client cert.

Steve Goossens
  • 968
  • 1
  • 8
  • 16
0

You are correct about gateway using webflux where there is no standard authentication mechanism such as spring mvc. The suggested way of authenticating is here: https://docs.spring.io/spring-security/site/docs/5.2.5.RELEASE/reference/html/reactive-x509.html

I also found the code example here helpful in setting up the application.yml file. https://github.com/spring-projects/spring-security-samples/tree/main/reactive/webflux/java/authentication/x509

This post may also be helpful: Authentication by certificate for WebFlux?

This post is not with webflux but is helpful in understanding how to set up certificates: https://www.baeldung.com/x-509-authentication-in-spring-security

Hamish Anderson
  • 597
  • 6
  • 10