发表新帖
发表新帖

Check X509 certificate revocation status in Spring-Security before authenticating

后端 未结
关注
2 1443
无人共我
无人共我 2020-12-21 10:29

Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I\'ve checked documentations (http://

相关标签:
2条回答
  • 一向
    2020-12-21 10:49

    The SSL handshake is performed by the servlet container, rather than Spring Security, so any CRL checking should probably occur at that point. Spring Security treats it as a "pre-authentication" scenrario.

    Spring Security just reads the (already SSL-authenticated) certificate and allows you to link it to a local user account.

    0 讨论(0)
  • 醉话见心
    2020-12-21 10:56

    I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).

    More details here:

    • http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
    • http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
    • http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
    0 讨论(0)
 看不清?
提交回复
热议问题