Spring Security
  1. Spring Security
  2. SEC-1489

Provide access to x509 certificate on <x509 /> tag

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Won't Fix
    • Affects Version/s: 3.0.2
    • Fix Version/s: 3.1.0.M1
    • Component/s: Core
    • Labels:
      None
    • Environment:
      java 1.5, tomcat 6, windows xp

      Description

      Support for x509 authentication is incomplete without access to x509 certificate. Matching the certificate subject to a db register is only a part of certificate authentication. Other checks are based on the certificate itself, the certificate chain, checking against CRLs.

      I know that it can be done without using the sec schema, but it is really a pity to throw away what the schema can do, only for this thing. It can be done easy, creating a context for the preauth proccess as it is created for the auth, or by the 'aware' interface.

        Activity

        Hide
        Luke Taylor added a comment -

        The certificate should be set as the credentials property of the Authentication object, so you can access it in your AuthenticationProvider and make any additional authentication checks you require.

        Show
        Luke Taylor added a comment - The certificate should be set as the credentials property of the Authentication object, so you can access it in your AuthenticationProvider and make any additional authentication checks you require.
        Hide
        Luke Taylor added a comment -

        My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans.

        Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.

        Show
        Luke Taylor added a comment - My inclination is that we are better off leaving this as it is. It is simple to declare the X509AuthenticationFilter explicitly and avoids the obfuscation which would be caused by further namespace additions. I don't know what you mean by "creating a context for the preauth process as it is created for the auth, or by the 'aware' interface". Any additional checks would have to be added to the PreAuthenticationAuthenticationProvider which is created behind the scenes. It's more obvious using explicit beans. Also things like CRL checks and certificate chain validation should normally occur during SSL authentication at the container level. Pre-authentication is more about loading application-specific data for an externally authenticated user.

          People

          • Assignee:
            Luke Taylor
            Reporter:
            Ricardo Tercero Lozano
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: