Help is available by sending an email to csf-support@mit.edu
Have any suggestion on how improve this wiki?  Please give us your feedback at csf-support@mit.edu

Using X509 Application Certificates with CSF Security version 2

Using X509 Applicaiton Certificates with CSF Security requires that the following be done:

  • add three new beans to your application's applicationContext spring security xml,
  • add one new bean to your application's applicationContext conf xml,
  • create a new allowEntities.properties file.

Each of the above is described below.

  1. Add the following 3 beans to your application's appicationContext spring security xml.

    You many already have a filterChainProxy already defined in your security XML.  If the filterChainProxy is already defined, then replace it with the filterChainProxy given below.

    The ssoX509SecurityContextPersistenceFilter and the ssoX509AuthenticationProcessingFilter are new beans. 
        <bean id="filterChainProxy" class="org.springframework.security.web.FilterChainProxy">
        <security:filter-chain-map path-type="ant">
            <security:filter-chain pattern="/css/**" filters="logoutFilter" />
            <security:filter-chain pattern="/images/**" filters="logoutFilter" />
            <security:filter-chain pattern="/js/**" filters="logoutFilter" />
            <security:filter-chain pattern="/docs/**" filters="logoutFilter" />
            <security:filter-chain pattern="/**" filters="ssoX509SecurityContextPersistenceFilter,
           		logoutFilter,
           		ssoX509AuthenticationProcessingFilter,
           		basicAuthenticationProcessingFilter,
           		exceptionTranslationFilter,
           		filterSecurityInterceptor,
           		switchUserProcessingFilter"
            />
        </security:filter-chain-map>
    </bean>

    <bean id="ssoX509SecurityContextPersistenceFilter" class="edu.mit.csf.security.spring.filter.SsoX509SecurityContextPersistenceFilter"/>
    
    <bean id="ssoX509AuthenticationProcessingFilter" class="edu.mit.csf.security.spring.filter.SsoX509AuthenticationProcessingFilter">
        <property name="authenticationManager" ref="authenticationManager"/>
        <property name="allowedEntities" ref="allowedEntities"/>
    </bean>
  2. Add the following bean to your application's appicationContext conf xml.  Notice that in the first <value> line there is a <application identifier> entry.  You must replace the <application identifier> with your application identifier.  For example: if your application identifier is addDrop, then the <value> line would be <value>file:$\{user.dir}/addDrop/allowedEntities.properties</value>. 
        <bean id="allowedEntities" class="edu.mit.csf.base.configuration.CompactApacheApplicationConfiguration" init-method="init">
        <property name="locations">
            <list>
                <value>file:${user.dir}/<application identifier>/allowedEntities.properties</value>
                <value>file:${user.home}/allowedEntities.properties</value>
            </list>
        </property>
    </bean>
  3. create a new allowEntities.properties file and place it in either the ${user.dir}/<application identifier> directory for apache/tomcat servers or in the ${user.home} for OC4J servers.