I submitted PR#3457 <https://github.com/apereo/cas/pull/3457> as my first 
PR.  Please be brutal with the feedback.

I thought about leaving the existing X509RestHttpRequestCredentialFactory, 
maybe renaming it, and creating a new one for the header functionality, and 
leave the conditional to the @Configuration class, but I figured getting 
the PR in first for feedback was more important that getting it right on 
the first attempt.

On Tuesday, August 7, 2018 at 10:35:17 AM UTC-4, Curtis Ruck wrote:
> Given the warning on 
> https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication
> I believe the REST X509 authentication is completely useless in a 
> production environment.  It expects a POST with the cert=<certificate 
> bytes>.  This doesn't validate the public/private key handshake that the 
> certificate is actually provided.
> I'd argue that the cas-server-support-rest-x509 should be removed as even 
> a possibility.
> The right answer, IMO, would be to modify the 
> RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest 
> request).  This would allow the X509RestHttpRequestCredentialFactory to 
> pull the javax.servlet.request.X509Certificate from the request attribute, 
> which would evaluate the public/private key handshake.
> I'd like to submit a Pull Request for this change.  Any concerns I should 
> be aware of?  I'd also like to backport it to 5.3.x at least (as I assume 
> 6.0's GA is still a ways off).

- Website: https://apereo.github.io/cas
- Gitter Chatroom: https://gitter.im/apereo/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
You received this message because you are subscribed to the Google Groups "CAS 
Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to cas-user+unsubscr...@apereo.org.
To view this discussion on the web visit 

Reply via email to