I agree with the immutability of the Credentials, but I think X509Credentials should show much more details about certificate (i.e decoding some pieces of information like notBefore, notAfter dates, DN, serialNumber, ...) than only give us a raw certificate to handle.
Rgds. Le 22/06/2011 16:36, Marvin Addison a écrit :
For now, when the user give CAS a certificate which is revoked, CAS answers as if the certificate does not exists (an AuthenticationException is thrown by X509 handlerThis is a good, concrete use case that lends support to changing the AuthenticationHandler interface such that it actually throws the exception back to the caller so that the AuthenticationManager can act on the error accordingly. With the current boolean implementation, it's much more of a hack to add the functionality you want.My idea is to add some validity information to these credentials, in order to catch them in the method onError of X509CertificateCredentialsNonInteractiveAction classThat will work but it's ugly from a software engineering perspective. Credentials should ideally be immutable in light of security considerations. I don't think we would make this change in the core, but simply wait to 4.x to support these use cases since AuthenticationHandler is changing in the way I noted above. M
-- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit BP 587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19
smime.p7s
Description: S/MIME Cryptographic Signature
