Update x509 Reference

- Use include-code
- Demo how to customize SubjectX500PrincipalExtractor

Author: rwinch

docs/antora.yml

@@ -18,3 +18,4 @@ asciidoc:
     gh-url: "https://github.com/spring-projects/spring-security/tree/{gh-tag}"
     include-java: 'example$docs-src/test/java/org/springframework/security/docs'
     include-kotlin: 'example$docs-src/test/kotlin/org/springframework/security/kt/docs'
+    include-xml: 'example$docs-src/test/resources/org/springframework/security/docs'

docs/modules/ROOT/pages/reactive/authentication/x509.adoc

@@ -5,98 +5,16 @@ Similar to xref:servlet/authentication/x509.adoc#servlet-x509[Servlet X.509 auth
 
 The following example shows a reactive x509 security configuration:
 
-[tabs]
-======
-Java::
-+
-[source,java,role="primary"]
-----
-@Bean
-public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
-	http
-		.x509(withDefaults())
-		.authorizeExchange(exchanges -> exchanges
-		    .anyExchange().permitAll()
-		);
-	return http.build();
-}
-----
+include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]
 
-Kotlin::
-+
-[source,kotlin,role="secondary"]
-----
-@Bean
-fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain {
-    return http {
-        x509 { }
-        authorizeExchange {
-            authorize(anyExchange, authenticated)
-        }
-    }
-}
-----
-======
-
-In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used. The default principal extractor is `SubjectDnX509PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client. The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
+In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
+The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
+The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
 
 The following example demonstrates how these defaults can be overridden:
 
-[tabs]
-======
-Java::
-+
-[source,java,role="primary"]
-----
-@Bean
-public SecurityWebFilterChain securityWebFilterChain(ServerHttpSecurity http) {
-	SubjectDnX509PrincipalExtractor principalExtractor =
-	        new SubjectDnX509PrincipalExtractor();
-
-	principalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)");
-
-	ReactiveAuthenticationManager authenticationManager = authentication -> {
-		authentication.setAuthenticated("Trusted Org Unit".equals(authentication.getName()));
-		return Mono.just(authentication);
-	};
-
-	http
-		.x509(x509 -> x509
-		    .principalExtractor(principalExtractor)
-		    .authenticationManager(authenticationManager)
-		)
-		.authorizeExchange(exchanges -> exchanges
-		    .anyExchange().authenticated()
-		);
-	return http.build();
-}
-----
-
-Kotlin::
-+
-[source,kotlin,role="secondary"]
-----
-@Bean
-fun securityWebFilterChain(http: ServerHttpSecurity): SecurityWebFilterChain? {
-    val customPrincipalExtractor = SubjectDnX509PrincipalExtractor()
-    customPrincipalExtractor.setSubjectDnRegex("OU=(.*?)(?:,|$)")
-    val customAuthenticationManager = ReactiveAuthenticationManager { authentication: Authentication ->
-        authentication.isAuthenticated = "Trusted Org Unit" == authentication.name
-        Mono.just(authentication)
-    }
-    return http {
-        x509 {
-            principalExtractor = customPrincipalExtractor
-            authenticationManager = customAuthenticationManager
-        }
-        authorizeExchange {
-            authorize(anyExchange, authenticated)
-        }
-    }
-}
-----
-======
+include-code::./CustomX509Configuration[tag=springSecurity,indent=0]
 
-In the previous example, a username is extracted from the OU field of a client certificate instead of CN, and account lookup using `ReactiveUserDetailsService` is not performed at all. Instead, if the provided certificate issued to an OU named "`Trusted Org Unit`", a request is authenticated.
+In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.
 
 For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.

docs/modules/ROOT/pages/servlet/authentication/x509.adoc

@@ -14,37 +14,27 @@ You should get this working before trying it out with Spring Security.
 The Spring Security X.509 module extracts the certificate by using a filter.
 It maps the certificate to an application user and loads that user's set of granted authorities for use with the standard Spring Security infrastructure.
 
-
+[[servlet-x509-config]]
 == Adding X.509 Authentication to Your Web Application
-Enabling X.509 client authentication is very straightforward.
-To do so, add the `<x509/>` element to your http security namespace configuration:
 
-[source,xml]
-----
-<http>
-...
-	<x509 subject-principal-regex="CN=(.*?)," user-service-ref="userService"/>;
-</http>
-----
+Similar to xref:reactive/authentication/x509.adoc[Reactive X.509 authentication], the servlet x509 authentication filter allows extracting an authentication token from a certificate provided by a client.
+
+The following example shows a reactive x509 security configuration:
+
+include-code::./DefaultX509Configuration[tag=springSecurity,indent=0]
+
+In the preceding configuration, when neither `principalExtractor` nor `authenticationManager` is provided, defaults are used.
+The default principal extractor is `SubjectX500PrincipalExtractor`, which extracts the CN (common name) field from a certificate provided by a client.
+The default authentication manager is `ReactivePreAuthenticatedAuthenticationManager`, which performs user account validation, checking that a user account with a name extracted by `principalExtractor` exists and that it is not locked, disabled, or expired.
+
+The following example demonstrates how these defaults can be overridden:
+
+include-code::./CustomX509Configuration[tag=springSecurity,indent=0]
+
+In the previous example, a username is extracted from the `emailAddress` field of a client certificate instead of CN, and account lookup uses a custom `ReactiveAuthenticationManager` instance.
+
+For an example of configuring Netty and `WebClient` or `curl` command-line tool to use mutual TLS and enable X.509 authentication, see https://github.com/spring-projects/spring-security-samples/tree/main/servlet/java-configuration/authentication/x509.
 
-The element has two optional attributes:
-
-* `subject-principal-regex`.
-The regular expression used to extract a username from the certificate's subject name.
-The default value is shown in the preceding listing.
-This is the username that is passed to the `UserDetailsService` to load the authorities for the user.
-* `user-service-ref`.
-This is the bean ID of the `UserDetailsService` to be used with X.509.
-It is not needed if there is only one defined in your application context.
-
-The `subject-principal-regex` should contain a single group.
-For example, the default expression (`CN=(.*?)`) matches the common name field.
-So, if the subject name in the certificate is "CN=Jimi Hendrix, OU=...", this gives a user name of "Jimi Hendrix".
-The matches are case insensitive.
-So "emailAddress=(+.*?+)," matches "[email protected],CN=...", giving a user name "[email protected]".
-If the client presents a certificate and a valid username is successfully extracted, there should be a valid `Authentication` object in the security context.
-If no certificate is found or no corresponding user could be found, the security context remains empty.
-This means that you can use X.509 authentication with other options, such as a form-based login.
 
 [[x509-ssl-config]]
 == Setting up SSL in Tomcat

docs/src/test/java/org/springframework/security/docs/reactive/authentication/reactivex509/CustomX509Configuration.java

@@ -0,0 +1,74 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.docs.reactive.authentication.reactivex509;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.authentication.ReactiveAuthenticationManager;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.authentication.preauth.x509.SubjectX500PrincipalExtractor;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.security.web.server.authentication.ReactivePreAuthenticatedAuthenticationManager;
+import org.springframework.web.reactive.config.EnableWebFlux;
+
+/**
+ * Demonstrates custom configuration for x509 reactive configuration.
+ *
+ * @author Rob Winch
+ */
+@Configuration(proxyBeanMethods = false)
+@EnableWebFluxSecurity
+@EnableWebFlux
+public class CustomX509Configuration {
+
+	// tag::springSecurity[]
+	@Bean
+	SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+		SubjectX500PrincipalExtractor principalExtractor = new SubjectX500PrincipalExtractor();
+		principalExtractor.setExtractPrincipalNameFromEmail(true);
+
+		// @formatter:off
+		UserDetails user = User
+			.withUsername("luke@monkeymachine")
+			.password("password")
+			.roles("USER")
+			.build();
+		// @formatter:on
+
+		ReactiveUserDetailsService users = new MapReactiveUserDetailsService(user);
+		ReactiveAuthenticationManager authenticationManager = new ReactivePreAuthenticatedAuthenticationManager(users);
+
+		// @formatter:off
+		http
+			.x509(x509 -> x509
+				.principalExtractor(principalExtractor)
+				.authenticationManager(authenticationManager)
+			)
+			.authorizeExchange(exchanges -> exchanges
+				.anyExchange().authenticated()
+			);
+		// @formatter:on
+		return http.build();
+	}
+	// end::springSecurity[]
+
+}

docs/src/test/java/org/springframework/security/docs/reactive/authentication/reactivex509/DefaultX509Configuration.java

@@ -0,0 +1,67 @@
+/*
+ * Copyright 2002-2025 the original author or authors.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      https://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+package org.springframework.security.docs.reactive.authentication.reactivex509;
+
+import org.springframework.context.annotation.Bean;
+import org.springframework.context.annotation.Configuration;
+import org.springframework.security.config.Customizer;
+import org.springframework.security.config.annotation.web.reactive.EnableWebFluxSecurity;
+import org.springframework.security.config.web.server.ServerHttpSecurity;
+import org.springframework.security.core.userdetails.MapReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.ReactiveUserDetailsService;
+import org.springframework.security.core.userdetails.User;
+import org.springframework.security.core.userdetails.UserDetails;
+import org.springframework.security.web.server.SecurityWebFilterChain;
+import org.springframework.web.reactive.config.EnableWebFlux;
+
+/**
+ * Demonstrates custom configuration for x509 reactive configuration.
+ *
+ * @author Rob Winch
+ */
+@Configuration(proxyBeanMethods = false)
+@EnableWebFluxSecurity
+@EnableWebFlux
+public class DefaultX509Configuration {
+
+	// tag::springSecurity[]
+	@Bean
+	SecurityWebFilterChain springSecurity(ServerHttpSecurity http) {
+		// @formatter:off
+		http
+			.x509(Customizer.withDefaults())
+			.authorizeExchange(exchanges -> exchanges
+				.anyExchange().authenticated()
+			);
+		// @formatter:on
+		return http.build();
+	}
+	// end::springSecurity[]
+
+	@Bean
+	ReactiveUserDetailsService userDetailsService() {
+		// @formatter:off
+		UserDetails user = User
+				.withUsername("rod")
+				.password("password")
+				.roles("USER")
+				.build();
+		// @formatter:on
+
+		return new MapReactiveUserDetailsService(user);
+	}
+}