First working (kind of) version.

core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationProvider.java

@@ -4,6 +4,7 @@ import net.sf.acegisecurity.providers.AuthenticationProvider;
 import net.sf.acegisecurity.Authentication;
 import net.sf.acegisecurity.AuthenticationException;
 import net.sf.acegisecurity.UserDetails;
+import net.sf.acegisecurity.BadCredentialsException;
 import org.springframework.beans.factory.InitializingBean;
 import org.apache.commons.logging.Log;
 import org.apache.commons.logging.LogFactory;
@@ -11,6 +12,11 @@ import org.apache.commons.logging.LogFactory;
 import java.security.cert.X509Certificate;
 
 /**
+ * Processes an X.509 authentication request.
+ * <p>
+ * The request will typically originate from
+ * {@link net.sf.acegisecurity.ui.x509.X509ProcessingFilter}).
+ *
  * @author Luke Taylor
  */
 public class X509AuthenticationProvider implements AuthenticationProvider,
@@ -20,6 +26,7 @@ public class X509AuthenticationProvider implements AuthenticationProvider,
     private static final Log logger = LogFactory.getLog(X509AuthenticationProvider.class);
 
     //~ Instance fields ========================================================
+
     private X509AuthoritiesPopulator x509AuthoritiesPopulator;
 
     //~ Methods ================================================================
@@ -35,10 +42,19 @@ public class X509AuthenticationProvider implements AuthenticationProvider,
     }
 
     /**
+     * If the supplied authentication token contains a certificate then this will be passed
+     * to the configured {@link X509AuthoritiesPopulator}
+     * to obtain the user details and authorities for the user identified by the certificate.
+     * <p>
+     * If no certificate is present (for example, if the filter is applied to an HttpRequest for which
+     * client authentication hasn't been configured in the container) then a BadCredentialsException will be raised.
+     * </p>
      *
-     * @param authentication
-     * @return
-     * @throws AuthenticationException if the {@link X509AuthoritiesPopulator} rejects the certficate
+     * @param authentication the authentication request.
+     * @return an X509AuthenticationToken containing the authorities of the principal represented by the
+     * certificate.
+     * @throws AuthenticationException if the {@link X509AuthoritiesPopulator} rejects the certficate.
+     * @throws BadCredentialsException if no certificate was presented in the authentication request.
      */
     public Authentication authenticate(Authentication authentication) throws AuthenticationException {
         if (!supports(authentication.getClass())) {
@@ -50,8 +66,14 @@ public class X509AuthenticationProvider implements AuthenticationProvider,
 
         X509Certificate clientCertificate = (X509Certificate)authentication.getCredentials();
 
+        if(clientCertificate == null) {
+            //logger.debug("Certificate is null. Returning null Authentication.");
+            throw new BadCredentialsException("Certificate is null.");
+        }
+
         // TODO: Cache
 
+        logger.debug("Authenticating with certificate " + clientCertificate);
 
         // Lookup user details for the given certificate
         UserDetails userDetails = x509AuthoritiesPopulator.getUserDetails(clientCertificate);

core/src/main/java/org/acegisecurity/providers/x509/X509AuthenticationToken.java

@@ -3,7 +3,6 @@ package net.sf.acegisecurity.providers.x509;
 import net.sf.acegisecurity.providers.AbstractAuthenticationToken;
 import net.sf.acegisecurity.GrantedAuthority;
 
-import javax.security.cert.Certificate;
 import java.security.cert.X509Certificate;
 
 /**

core/src/main/java/org/acegisecurity/providers/x509/populator/DaoX509AuthoritiesPopulator.java

@@ -21,6 +21,8 @@ import net.sf.acegisecurity.providers.dao.AuthenticationDao;
 import net.sf.acegisecurity.providers.x509.X509AuthoritiesPopulator;
 
 import org.springframework.beans.factory.InitializingBean;
+import org.apache.commons.logging.Log;
+import org.apache.commons.logging.LogFactory;
 
 import java.security.cert.X509Certificate;
 
@@ -33,9 +35,14 @@ import java.security.cert.X509Certificate;
  */
 public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator,
     InitializingBean {
+    //~ Static fields/initializers =============================================
+
+    private static final Log logger = LogFactory.getLog(DaoX509AuthoritiesPopulator.class);
+
     //~ Instance fields ========================================================
 
     private AuthenticationDao authenticationDao;
+    private String userPattern;
 
     //~ Methods ================================================================
 
@@ -49,6 +56,7 @@ public class DaoX509AuthoritiesPopulator implements X509AuthoritiesPopulator,
 
     public UserDetails getUserDetails(X509Certificate clientCert)
         throws AuthenticationException {
+        logger.debug("Populating authorities for " + clientCert.getSubjectDN().getName());
         return this.authenticationDao.loadUserByUsername("marissa"/*clientCert.getSubjectDN().getName()*/);
     }