diff --git a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/x509.adoc b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/x509.adoc index f6ed508a23c..6cac537d453 100644 --- a/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/x509.adoc +++ b/docs/manual/src/docs/asciidoc/_includes/servlet/additional-topics/x509.adoc @@ -46,7 +46,7 @@ The `subject-principal-regex` should contain a single group. For example the default expression "CN=(.*?)," matches the common name field. So if the subject name in the certificate is "CN=Jimi Hendrix, OU=...", this will give a user name of "Jimi Hendrix". The matches are case insensitive. -So "emailAddress=(.?)," will match "EMAILADDRESS=jimi@hendrix.org,CN=..." giving a user name "jimi@hendrix.org". +So "emailAddress=(+.*?+)," will match "EMAILADDRESS=jimi@hendrix.org,CN=..." giving a user name "jimi@hendrix.org". If the client presents a certificate and a valid username is successfully extracted, then there should be a valid `Authentication` object in the security context. If no certificate is found, or no corresponding user could be found then the security context will remain empty. This means that you can easily use X.509 authentication with other options such as a form-based login. diff --git a/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java b/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java index 18693d55332..6a667e5de7f 100644 --- a/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java +++ b/web/src/main/java/org/springframework/security/web/authentication/preauth/x509/SubjectDnX509PrincipalExtractor.java @@ -36,7 +36,7 @@ * expression "CN=(.*?)(?:,|$)" matches the common name field. So * "CN=Jimi Hendrix, OU=..." will give a user name of "Jimi Hendrix". *

- * The matches are case insensitive. So "emailAddress=(.?)," will match + * The matches are case insensitive. So "emailAddress=(.*?)," will match * "EMAILADDRESS=jimi@hendrix.org, CN=..." giving a user name "jimi@hendrix.org" * * @author Luke Taylor