Given the warning on

I believe the REST X509 authentication is completely useless in a 
production environment.  It expects a POST with the cert=<certificate 
bytes>.  This doesn't validate the public/private key handshake that the 
certificate is actually provided.

I'd argue that the cas-server-support-rest-x509 should be removed as even a 

The right answer, IMO, would be to modify the 
RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest 
request).  This would allow the X509RestHttpRequestCredentialFactory to 
pull the javax.servlet.request.X509Certificate from the request attribute, 
which would evaluate the public/private key handshake.

I'd like to submit a Pull Request for this change.  Any concerns I should 
be aware of?  I'd also like to backport it to 5.3.x at least (as I assume 
6.0's GA is still a ways off).

- Website:
- Gitter Chatroom:
- List Guidelines:
- Contributions:
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
To view this discussion on the web visit

Reply via email to