Given the warning on
I believe the REST X509 authentication is completely useless in a
production environment. It expects a POST with the cert=<certificate
bytes>. This doesn't validate the public/private key handshake that the
certificate is actually provided.
I'd argue that the cas-server-support-rest-x509 should be removed as even a
The right answer, IMO, would be to modify the
RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest
request). This would allow the X509RestHttpRequestCredentialFactory to
pull the javax.servlet.request.X509Certificate from the request attribute,
which would evaluate the public/private key handshake.
I'd like to submit a Pull Request for this change. Any concerns I should
be aware of? I'd also like to backport it to 5.3.x at least (as I assume
6.0's GA is still a ways off).
- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
You received this message because you are subscribed to the Google Groups "CAS
To unsubscribe from this group and stop receiving emails from it, send an email
To view this discussion on the web visit