本文介绍了进行身份验证之前,请在Spring-Security中检查X509证书吊销状态的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在进行身份验证之前,是否可以通过CRL在spring-security中检查x509客户端证书的吊销状态?我已经检查了文档(http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html),但未提及CRL.

Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.

实施UserService仅为您提供用户名,而不提供X509Certificate.任何帮助将不胜感激!

Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!

谢谢!

推荐答案

我不确定Spring-Security的细节,但是它是否基于JRE的信任管理器(如果是Oracle/Sun JRE). ,您可以通过将以下系统属性设置为true:com.sun.net.ssl.checkRevocationcom.sun.security.enableCRLDP并设置Security.setProperty("ocsp.enable", "true")来激活CRL检查(感谢@WillSargent指出它是Security属性,而不是系统属性).

I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).

此处有更多详细信息:

  • http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
  • http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
  • http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking

这篇关于进行身份验证之前,请在Spring-Security中检查X509证书吊销状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-24 12:45