Yes, possibly by making SSL client-client optional.
Here at Baeldung there is a good guide to enable SSL client authentication with X.509 certificates with a forced authorization client (not suitable for your case, with a login form)
Follow this guide and notice in the application.properties file to do instead . This will force the client-server SSL handshake to attempt to obtain a certificate.
server.ssl.client-auth=want
- If the browser does not provide a certificate (not configured or the user clicks cancel when asked to select a certificate from the list), then the SSL handshake will be performed without a client certificate, and the user will have a username + password for login
- If the user selects a certificate, SSL handshaking is performed using the client certificate. The server then verifies this certificate in the trust store. If the certificate is valid, SSL handshaking has been successfully installed. Otherwise, the server refuses to connect.
note that
- only authentication is performed using x.509 certificate. For authorization, you must provide X509Configurer a UserDetailsService to get UserDetails for a user who just authenticated through x.509
- Thus, if you have a user database with roles assigned, even if the certificate is in the trust store, the user may not be in the user database, so you will have to consider this possibility in the application logic, i.e. when the SSL connection is mutual, but the user not present in the user database.