Dec 14th, 2011, 09:11 AM
Check X509 certificate revocation status in Spring-Security before authenticating
Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/sprin...ence/x509.html) but it doesn't mention anything about CRL.
Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!
Dec 14th, 2011, 02:58 PM
No, there's no functionality for checking CRLs. The SSL handshake is performed by the servlet container, so that is most likely where any CRL checking ought to occur. Spring Security's X.509 authentication assumes that the certificate is valid from an SSL perspective and only attempts to translate the data into a valid user identity in the local system.
Tags for this Thread