previous X509 auth result contains subject with no public credentials
Bobby Lawrence
robertl at jlab.org
Mon Nov 23 22:57:49 UTC 2020
> I didn't recall that that class looked at an X500Principal, I thought it bailed if the certificate was missing. That would be a problem. All the more
> reason to chew on it a bit before I rush into any fixes.
It does...at least in 3.4.7
Per the "doPreExecute" method in net.shibboleth.idp.authn.impl.X500SubjectCanonicalization
final Set<X509Certificate> certificates = c14nContext.getSubject().getPublicCredentials(X509Certificate.class);
if (certificates != null && certificates.size() == 1) {
certificate = certificates.iterator().next();
x500Principal = certificate.getSubjectX500Principal();
} else {
final Set<X500Principal> principals = c14nContext.getSubject().getPrincipals(X500Principal.class);
if (principals != null && principals.size() == 1) {
x500Principal = principals.iterator().next();
}
}
More information about the users
mailing list