Spring Security x509 won't allow multiple authentication

[subatron]

Summary

With form login, you can re-authenticate a user via username/password at any time with Spring Security. With x509 authentication, this doesn't work and Spring always returns the last cert seen, even if you clear the context.

Actual Behavior

With http.x509() enabled, Spring Security acquires a cert but won't allow the user re-authenticate with another cert unless the SSL state is cleared on the browser or if the browser is closed and re-opened (unless you're on IE and request a new session).

Expected Behavior

With x509 enabled, I expect to have a way to re-authenticate the user by displaying a cert dialog again. With form login, you would just ask for their credentials and pass that in to the authentication manager. With cert based, it's a PreAuthenticatedAuthorizationToken so there's nothing new for us to authenticate with.

Configuration

@Override
    protected void configure(HttpSecurity http) throws Exception {
        http
            .authorizeRequests()
                .mvcMatchers("/home").hasAnyAuthority("ADMIN")
                .mvcMatchers("/**").permitAll()
            .and()
            .x509()
                .subjectPrincipalRegex("CN=(.*?),")
                .userDetailsService(userDetailsService());
    }

    @Bean
    public UserDetailsService userDetailsService()
    {
        return new UserDetailsService() {

            @Override
            public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException {
                return new User(username, "", Arrays.asList(new SimpleGrantedAuthority("ADMIN")));
            }
        };
    }

Version

2.0.4.Release. This issue is also observed on 1.5.12.Release.

Sample

See full example @ https://github.com/subatron/spring-security-x509-complete

[samirvasani]

Any update on this issue?