进行身份验证之前，请在Spring-Security中检查X509证书吊销状态 [英] Check X509 certificate revocation status in Spring-Security before authenticating

问题描述

在进行身份验证之前，是否可以通过CRL在spring-security中检查x509客户端证书的吊销状态?我已经检查了文档(http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html)，但未提及CRL.

Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.

实施UserService仅为您提供用户名，而不提供X509Certificate.任何帮助将不胜感激！

Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!

谢谢！

推荐答案

我不确定Spring-Security的细节，但是它是否基于JRE的信任管理器(如果是Oracle/Sun JRE). ，您可以通过将以下系统属性设置为true:com.sun.net.ssl.checkRevocation和com.sun.security.enableCRLDP并设置Security.setProperty("ocsp.enable", "true")来激活CRL检查(感谢@WillSargent指出它是Security属性，而不是系统属性).

I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).

此处有更多详细信息:

• http://docs. oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
• http://docs. oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
• http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking

• http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
• http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
• http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking

这篇关于进行身份验证之前，请在Spring-Security中检查X509证书吊销状态的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！