Spring Security Add an option to x509 spec for configuring successHandler/failureHandler

Expected Behavior

We should be able to configure the authenticationSuccessHandler and authenticationFailureHandler for x509 authentication

Current Behavior

Currently we can only configure the principalExtractor and authenticationManager

Context

Since the current x509 configuration does not accept an authenticationFailureHandler, the created AuthenticationWebFilter uses the default failure handler, which prompts for basic authentication on x509 auth failure. The only way to disable this prompt is by creating a custom AuthenticationWebFilter with a defined authenticationfailureHandler, which is confusing and non-intuitive for developers.

For example, the following configuration will prompt for basic auth after receiving a bad client certificate:

@Bean
public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
    SubjectDnX509PrincipalExtractor principalExtractor =
            new SubjectDnX509PrincipalExtractor();

    principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");

    ReactiveAuthenticationManager authenticationManager = authentication -> {
        authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
        return Mono.just(authentication);
    };

    http
        .x509(x509 -> x509
            .principalExtractor(principalExtractor)
            .authenticationManager(authenticationManager)
        )
        .authorizeExchange(exchanges -> exchanges
            .anyExchange().authenticated()
        );
    return http.build();
}

Comment From: jzheaux

@torres-sonia, thanks for reaching out. Since X.509 is authenticated by the servlet container before reaching Spring Security, there usually isn't an authentication failure to negotiate. What is the failure that you are experiencing?

Comment From: spring-projects-issues

If you would like us to look at this issue, please provide the requested information. If the information is not provided within the next 7 days this issue will be closed.

Comment From: spring-projects-issues

Closing due to lack of requested feedback. If you would like us to look at this issue, please provide the requested information and we will re-open the issue.