I submitted PR#3457 <https://github.com/apereo/cas/pull/3457> as my first PR. Please be brutal with the feedback.
I thought about leaving the existing X509RestHttpRequestCredentialFactory, maybe renaming it, and creating a new one for the header functionality, and leave the conditional to the @Configuration class, but I figured getting the PR in first for feedback was more important that getting it right on the first attempt. On Tuesday, August 7, 2018 at 10:35:17 AM UTC-4, Curtis Ruck wrote: > > Given the warning on > https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication > > I believe the REST X509 authentication is completely useless in a > production environment. It expects a POST with the cert=<certificate > bytes>. This doesn't validate the public/private key handshake that the > certificate is actually provided. > > I'd argue that the cas-server-support-rest-x509 should be removed as even > a possibility. > > The right answer, IMO, would be to modify the > RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest > request). This would allow the X509RestHttpRequestCredentialFactory to > pull the javax.servlet.request.X509Certificate from the request attribute, > which would evaluate the public/private key handshake. > > I'd like to submit a Pull Request for this change. Any concerns I should > be aware of? I'd also like to backport it to 5.3.x at least (as I assume > 6.0's GA is still a ways off). > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a39970b-37ec-4b54-b47e-43815af15ab7%40apereo.org.