Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SEC-1489: Provide access to x509 certificate on <x509 /> tag #1728

Closed
spring-issuemaster opened this issue May 26, 2010 · 2 comments
Closed

SEC-1489: Provide access to x509 certificate on <x509 /> tag #1728

spring-issuemaster opened this issue May 26, 2010 · 2 comments

Comments

@spring-issuemaster
Copy link

@spring-issuemaster spring-issuemaster commented May 26, 2010

Ricardo Tercero Lozano (Migrated from SEC-1489) said:

Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.

I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented May 26, 2010

Luke Taylor said:

The certificate should be set as the credentials property of the Authentication object, so you can access it in your AuthenticationProvider and make any additional authentication checks you require.

@spring-issuemaster

This comment has been minimized.

Copy link
Author

@spring-issuemaster spring-issuemaster commented Jun 9, 2010

Luke Taylor said:

My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans.

Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
1 participant
You can’t perform that action at this time.