Integration libraries and samples for authenticating users and clients bound to XSUAA authentication and authorization service or Identity authentication service.
Apache License 2.0
149
stars
134
forks
source link
Remove new X5tCertificateThumbprintValidator from spring-xsuaa module #1579
This new validator is automatically getting used in the XsuaaJwtDecoder of the spring-xsuaa module of this lib once consumers update to a newer spring-security version.
This validator does not work for typical usage scenarios of this lib without further configuration because it expects a client certificate in the request. As TLS termination is done earlier by BTP and the certificate is instead forwarded in a header that is not used by the new validator, it will always fail to find a certificate for the validation.
To restore the previous functionality of the spring-xsuaa module, which is in maintenance mode, I am explicitly importing only the previous default validator(s) instead which happens to be only a timestamp validator.
spring-security has added a new x5t certificate thumbprint validator to the list of default validators: https://github.com/spring-projects/spring-security/commit/644cfa9f875409d2b2bf01cd791d1a906e44c500#diff-a4724ab787f6f0344a9ab4d3d8f1ce9b0cd16f0b24a51d497b3290b41ed43a04R70-R73
This new validator is automatically getting used in the XsuaaJwtDecoder of the spring-xsuaa module of this lib once consumers update to a newer spring-security version. This validator does not work for typical usage scenarios of this lib without further configuration because it expects a client certificate in the request. As TLS termination is done earlier by BTP and the certificate is instead forwarded in a header that is not used by the new validator, it will always fail to find a certificate for the validation.
To restore the previous functionality of the spring-xsuaa module, which is in maintenance mode, I am explicitly importing only the previous default validator(s) instead which happens to be only a timestamp validator.