X.509 User Certificate Provider
Use an X.509 User Certificate provider when clients are authenticated using HTTPS and X.509 certificates for mutual authentication.
- Signed by a trusted certificate authority
- Not expired
- Not revoked, as verified by Java support for the Online Certificate Status Protocol (OCSP) and the Certificate Revocation Lists Distribution Point (CRLDP)
If a certificate validates, authentication succeeds. The server must receive the client request via HTTPS and a mutual authentication listener. An X.509 User Certificate provider can create a subject principal; the principal name is the fully qualified SubjectDN in the user's certificate. You can use the subject principal name with the UserRoleAuthorizer to grant roles to this user.