问题
Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.
Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!
Thanks!
回答1:
I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).
More details here:
- http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
- http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
- http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
回答2:
The SSL handshake is performed by the servlet container, rather than Spring Security, so any CRL checking should probably occur at that point. Spring Security treats it as a "pre-authentication" scenrario.
Spring Security just reads the (already SSL-authenticated) certificate and allows you to link it to a local user account.
来源:https://stackoverflow.com/questions/8506661/check-x509-certificate-revocation-status-in-spring-security-before-authenticatin