Given the warning on https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication
I believe the REST X509 authentication is completely useless in a production environment. It expects a POST with the cert=<certificate bytes>. This doesn't validate the public/private key handshake that the certificate is actually provided. I'd argue that the cas-server-support-rest-x509 should be removed as even a possibility. The right answer, IMO, would be to modify the RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest request). This would allow the X509RestHttpRequestCredentialFactory to pull the javax.servlet.request.X509Certificate from the request attribute, which would evaluate the public/private key handshake. I'd like to submit a Pull Request for this change. Any concerns I should be aware of? I'd also like to backport it to 5.3.x at least (as I assume 6.0's GA is still a ways off). -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+unsubscr...@apereo.org. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/960b0e2b-4fc5-4fb0-8e03-5a263bf0a6f9%40apereo.org.
