0

I have a web application that will have two methods within a form to login.

  1. Username and Password + a Login Button.
  2. smart card login button.

Currently, we only have the Username and Password login. At some point, we will need to implement a smart card login. Most of our users already exist and will need to login with their username and password and then "register" their smart card to associate the username to the smart card via the database. I assume the smart card will utilize x509 certificates and I don't want to be prompted for the certificate as soon as the login page is visited. I would prefer that the certificates prompt appears after the smartcard login button has been clicked. I've seen this implemented at government sites like https://mypay.dfas.mil/#/. Anyway I can produce this approach using JSP, Spring Security and Java?

The following link is how I build the login application: https://howtodoinjava.com/spring-security/login-form-based-spring-3-security-example/

I've been told if I add the following to the security configuration I could use X.509 authentication with other options such as a form-based login.

<http>
 ...
    <x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>
 ...
</http>

Unfortunately, I don't know how to tie this to the login-form.

<%@ taglib uri="http://java.sun.com/jsp/jstl/core" prefix="c" %>
<%@ taglib uri="http://www.springframework.org/tags/form" prefix="form" %>
<%@ taglib uri="http://www.springframework.org/tags" prefix="spring" %>
 
<html>
    <body>
        <h1 id="banner">Login to Security Demo</h1>  
        <form name="f" action="<c:url value='j_spring_security_check'/>"
                    method="POST">
            <table>
                <tr>
                    <td>Username:</td>
                    <td><input type='text' name='j_username' /></td>
                </tr>
                <tr>
                    <td>Password:</td>
                    <td><input type='password' name='j_password'></td>
                </tr>
                <tr>
                    <td colspan="2">&nbsp;</td>
                </tr>
                <tr>
                    <td colspan='2'><input name="submit" type="submit">&nbsp;<input name="reset" type="reset"></td>
                </tr>
                <tr>
                    <td colspan='2'><input name="Smart Card Login" type="submit"></td>
                </tr>
            </table>
        </form>
    </body>
</html>
CSCMEICOMP
  • 51
  • 7
  • This is in no way PrimeFaces related, not JSF even, nor JSP. Certificate login is done on the application server or in a reverse proxy. – Kukeltje Jul 02 '20 at 18:43
  • So you're suggesting after I click the button I use some form of ReverseProxy? I already understand the application server configuration aspect of this. I can set the clientAuth as "need" or "want". Unfortunately, that does not provide the desired results I don't want to be prompted immediately for the X509 Certificate. What about using Spring Boot Security? – CSCMEICOMP Jul 02 '20 at 19:03
  • No, I'm not saying that. I'm saying that SSL/TLS termination and certificated based authentication on this level (assuming that is what you want) is done before the http request reaches the application. If you want to use the smartcard to sign some token in a web page (if possible), that is application level, but also not PrimeFaces related since this signing is done in the browser where there is only html, javascript, css and mabe some plugin. You are effectively asking a very generic (and unclear) achitecture question and not a specific programming question. Hence it is off topic for SO. – Kukeltje Jul 02 '20 at 19:29
  • I've removed the tag related to Primefaces and will do so in the body of my question. If there is a plugin available to sign a token at the application level, how would I do that? – CSCMEICOMP Jul 02 '20 at 19:36
  • _"If there is a plugin available to sign a token at the application level, how would I do that?"_ start by reading the documentation of the plugin (if there is one). This is like asking "If aliens land on earth, how do we communicate with them" – Kukeltje Jul 02 '20 at 20:05
  • I've updated my question. Does this help clarify? – CSCMEICOMP Jul 02 '20 at 21:22
  • It might for others, not for me. This is JSP that is deprecated in JSF (not in general, just for JSF) for over 10 years in favour of Facelets https://stackoverflow.com/questions/13092161 and I don't use Spring security, althouhgh I even doubt it is part of your real problem. You seem to have some conflicting requirements that I think you can only solve with two different url's for the 'landing pages', or maybe (ab)use some cookie... For me this is just not the things I want to help with, I focus on JSF/PrimeFaces/CDI... Sorry – Kukeltje Jul 02 '20 at 22:35

0 Answers0