From 540cc356ee160adc25aab6f959eb09a429559c6e Mon Sep 17 00:00:00 2001 From: Max Batischev Date: Wed, 23 Apr 2025 13:49:26 +0300 Subject: [PATCH] Add Support Extracting DN From X500Principal Closes gh-16980 Signed-off-by: Max Batischev --- .../x509/SubjectDnX509PrincipalExtractor.java | 19 ++++++++++++++++--- .../SubjectDnX509PrincipalExtractorTests.java | 9 ++++++++- 2 files changed, 24 insertions(+), 4 deletions(-) diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java index b690af59c03..442230a9639 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -43,6 +43,7 @@ * "EMAILADDRESS=jimi@hendrix.org, CN=..." giving a user name "jimi@hendrix.org" * * @author Luke Taylor + * @author Max Batischev */ public class SubjectDnX509PrincipalExtractor implements X509PrincipalExtractor, MessageSourceAware { @@ -52,14 +53,16 @@ public class SubjectDnX509PrincipalExtractor implements X509PrincipalExtractor, private Pattern subjectDnPattern; + private boolean extractPrincipalNameFromX500Principal = false; + public SubjectDnX509PrincipalExtractor() { setSubjectDnRegex("CN=(.*?)(?:,|$)"); } @Override public Object extractPrincipal(X509Certificate clientCert) { - // String subjectDN = clientCert.getSubjectX500Principal().getName(); - String subjectDN = clientCert.getSubjectDN().getName(); + String subjectDN = this.extractPrincipalNameFromX500Principal ? clientCert.getSubjectX500Principal().getName() + : clientCert.getSubjectDN().getName(); this.logger.debug(LogMessage.format("Subject DN is '%s'", subjectDN)); Matcher matcher = this.subjectDnPattern.matcher(subjectDN); if (!matcher.find()) { @@ -98,4 +101,14 @@ public void setMessageSource(MessageSource messageSource) { this.messages = new MessageSourceAccessor(messageSource); } + /** + * If true then extracts principal name from X500Principal, defaults to {@code false} + * @param extractPrincipalNameFromX500Principal whether to extract the principal name + * from X500Principal + * @since 7.0 + */ + public void setExtractPrincipalNameFromX500Principal(boolean extractPrincipalNameFromX500Principal) { + this.extractPrincipalNameFromX500Principal = extractPrincipalNameFromX500Principal; + } + } diff --git a/web/src/test/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractorTests.java b/web/src/test/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractorTests.java index a86b41e0bc7..193b83d27cd 100644 --- a/web/src/test/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractorTests.java +++ b/web/src/test/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractorTests.java @@ -1,5 +1,5 @@ /* - * Copyright 2002-2020 the original author or authors. + * Copyright 2002-2025 the original author or authors. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -54,6 +54,13 @@ public void defaultCNPatternReturnsExcpectedPrincipal() throws Exception { assertThat(principal).isEqualTo("Luke Taylor"); } + @Test + public void defaultCNPatternReturnsPrincipalWhenExtractPrincipalNameFromX500PrincipalIsTrue() throws Exception { + this.extractor.setExtractPrincipalNameFromX500Principal(true); + Object principal = this.extractor.extractPrincipal(X509TestUtils.buildTestCertificate()); + assertThat(principal).isEqualTo("Luke Taylor"); + } + @Test public void matchOnEmailReturnsExpectedPrincipal() throws Exception { this.extractor.setSubjectDnRegex("emailAddress=(.*?),");