I submitted PR#3457 <https://github.com/apereo/cas/pull/3457> as my first PR. Please be brutal with the feedback.
I thought about leaving the existing X509RestHttpRequestCredentialFactory, maybe renaming it, and creating a new one for the header functionality, and leave the conditional to the @Configuration class, but I figured getting the PR in first for feedback was more important that getting it right on the first attempt. On Tuesday, August 7, 2018 at 10:35:17 AM UTC-4, Curtis Ruck wrote: > > Given the warning on > https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication > > I believe the REST X509 authentication is completely useless in a > production environment. It expects a POST with the cert=<certificate > bytes>. This doesn't validate the public/private key handshake that the > certificate is actually provided. > > I'd argue that the cas-server-support-rest-x509 should be removed as even > a possibility. > > The right answer, IMO, would be to modify the > RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest > request). This would allow the X509RestHttpRequestCredentialFactory to > pull the javax.servlet.request.X509Certificate from the request attribute, > which would evaluate the public/private key handshake. > > I'd like to submit a Pull Request for this change. Any concerns I should > be aware of? I'd also like to backport it to 5.3.x at least (as I assume > 6.0's GA is still a ways off). > > > -- - Website: https://apereo.github.io/cas - Gitter Chatroom: https://gitter.im/apereo/cas - List Guidelines: https://goo.gl/1VRrw7 - Contributions: https://goo.gl/mh7qDG --- You received this message because you are subscribed to the Google Groups "CAS Community" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/6a39970b-37ec-4b54-b47e-43815af15ab7%40apereo.org.
