Given the warning on https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication
I believe the REST X509 authentication is completely useless in a production environment. It expects a POST with the cert=<certificate bytes>. This doesn't validate the public/private key handshake that the certificate is actually provided. I'd argue that the cas-server-support-rest-x509 should be removed as even a possibility. The right answer, IMO, would be to modify the RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest request). This would allow the X509RestHttpRequestCredentialFactory to pull the javax.servlet.request.X509Certificate from the request attribute, which would evaluate the public/private key handshake. I'd like to submit a Pull Request for this change. Any concerns I should be aware of? I'd also like to backport it to 5.3.x at least (as I assume 6.0's GA is still a ways off). -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/960b0e2b-4fc5-4fb0-8e03-5a263bf0a6f9%40apereo.org.
