> For now, when the user give CAS a certificate which is revoked, CAS answers > as if the certificate does not exists (an AuthenticationException is thrown > by X509 handler
This is a good, concrete use case that lends support to changing the AuthenticationHandler interface such that it actually throws the exception back to the caller so that the AuthenticationManager can act on the error accordingly. With the current boolean implementation, it's much more of a hack to add the functionality you want. > My idea is to add some validity information to these credentials, in order > to catch them in the method onError of > X509CertificateCredentialsNonInteractiveAction class That will work but it's ugly from a software engineering perspective. Credentials should ideally be immutable in light of security considerations. I don't think we would make this change in the core, but simply wait to 4.x to support these use cases since AuthenticationHandler is changing in the way I noted above. M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
