Join GitHub today
GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.Sign up
SEC-1489: Provide access to x509 certificate on <x509 /> tag #1728
Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.
I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.
Luke Taylor said:
My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans.
Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.