问题描述
在进行身份验证之前,是否可以通过CRL在spring-security中检查x509客户端证书的吊销状态?我已经检查了文档(http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html),但未提及CRL.
Is it possible to check the revocation status of a x509 client certificate through the CRL in spring-security before authenticating it? I've checked documentations (http://static.springsource.org/spring-security/site/docs/3.0.x/reference/x509.html) but it doesn't mention anything about CRL.
实施UserService仅为您提供用户名,而不提供X509Certificate.任何帮助将不胜感激!
Implementing UserService only gives you the username and not the X509Certificate. Any help would be appreciated!
谢谢!
推荐答案
我不确定Spring-Security的细节,但是它是否基于JRE的信任管理器(如果是Oracle/Sun JRE). ,您可以通过将以下系统属性设置为true:com.sun.net.ssl.checkRevocation和com.sun.security.enableCRLDP并设置Security.setProperty("ocsp.enable", "true")来激活CRL检查(感谢@WillSargent指出它是Security属性,而不是系统属性).
I'm not sure about the specifics of Spring-Security, but if it's based on the trustmanagers of the JRE (if if it's the Oracle/Sun JRE), you can activate CRL checks by setting these system properties to true: com.sun.net.ssl.checkRevocation and com.sun.security.enableCRLDP, and setting Security.setProperty("ocsp.enable", "true") (thanks to @WillSargent for pointing out it's a Security property, not a system one).
此处有更多详细信息:
- http://docs. oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
- http://docs. oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
- http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
- http://docs.oracle.com/javase/6/docs/technotes/guides/security/jsse/JSSERefGuide.html#CERTPATH
- http://docs.oracle.com/javase/6/docs/technotes/guides/security/certpath/CertPathProgGuide.html#AppC
- http://blogs.oracle.com/xuelei/entry/enable_ocsp_checking
这篇关于进行身份验证之前,请在Spring-Security中检查X509证书吊销状态的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!