Ricardo Tercero Lozano (Migrated from SEC-1489) said:
Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.
I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.
Luke Taylor said:
The certificate should be set as the credentials property of the Authentication object, so you can access it in your AuthenticationProvider and make any additional authentication checks you require.
My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans.
Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.