SEC-1489: Provide access to x509 certificate on <x509 /> tag #1728

Closed
spring-issuemaster opened this Issue May 26, 2010 · 2 comments

1 participant

@spring-issuemaster

Ricardo Tercero Lozano (Migrated from SEC-1489) said:

Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.

I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.

@spring-issuemaster

Luke Taylor said:

The certificate should be set as the credentials property of the Authentication object, so you can access it in your AuthenticationProvider and make any additional authentication checks you require.

@spring-issuemaster

Luke Taylor said:

My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans.

Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.

@spring-issuemaster spring-issuemaster added this to the 3.1.0.M1 milestone Feb 5, 2016
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment