Class X509Properties
java.lang.Object
org.apereo.cas.configuration.model.support.x509.X509Properties
- All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-x509-webflow")
public class X509Properties
extends Object
implements Serializable
This is
X509Properties
.- Since:
- 5.0.0
- See Also:
-
Nested Class Summary
Modifier and TypeClassDescriptionstatic enum
The principal resolution types. -
Constructor Summary
-
Method Summary
Modifier and TypeMethodDescriptionint
When CRLs are cached, indicate maximum number of elements kept in memory.When CRLs are cached, indicate the time-to-live of cache items.Principal resolver properties for CN_EDIPI resolver type.If the CRL has expired, activate the this policy.Options to describe how to fetch CRL resources.If the CRL resource has expired, activate the this policy.List of CRL resources to use for fetching.If the CRL resource is unavailable, activate the this policy.If the CRL is unavailable, activate the this policy.getLdap()
LDAP settings when fetching CRLs from LDAP.int
Deployer supplied setting for maximum pathLength in a SUPPLIED certificate.getName()
The authentication handler name.int
getOrder()
The order of the authentication handler in the chain.Principal resolution properties.The principal descriptor used for principal resolution when type is set toX509Properties.PrincipalTypes.SUBJECT
.Principal transformation properties.Indicates the type of principal resolution for X509.int
The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources.The pattern that authorizes an acceptable certificate by its subject dn.The compiled pattern supplied by the deployer.Revocation certificate checking can be carried out in one of the following ways:NONE
: No revocation is performed.CRL
: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field.int
Threshold value if expired CRL revocation policy is to be handled via threshold.Principal resolver properties for RFC822_EMAIL resolver type.Principal resolver properties for SERIAL_NO resolver type.Principal resolver properties for SERIAL_NO_DN resolver type.The name of the header to consult for an X509 cert (e.g.Principal resolver properties for SUBJECT_ALT_NAME resolver type.Principal resolver properties for SUBJECT_DN resolver type.The webflow configuration.boolean
Whether revocation checking should check all resources, or stop at first one.boolean
Deployer supplied setting to check the KeyUsage extension.boolean
Whether to extract certificate from request.boolean
Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate.boolean
Determine whether X509 authentication should allow other forms of authentication such as username/password.boolean
Deployer supplied setting to force require the correct KeyUsage extension.boolean
When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors.setCacheMaxElementsInMemory
(int cacheMaxElementsInMemory) When CRLs are cached, indicate maximum number of elements kept in memory.setCacheTimeToLiveSeconds
(String cacheTimeToLiveSeconds) When CRLs are cached, indicate the time-to-live of cache items.setCheckAll
(boolean checkAll) Whether revocation checking should check all resources, or stop at first one.setCheckKeyUsage
(boolean checkKeyUsage) Deployer supplied setting to check the KeyUsage extension.Principal resolver properties for CN_EDIPI resolver type.setCrlExpiredPolicy
(String crlExpiredPolicy) If the CRL has expired, activate the this policy.setCrlFetcher
(String crlFetcher) Options to describe how to fetch CRL resources.setCrlResourceExpiredPolicy
(String crlResourceExpiredPolicy) If the CRL resource has expired, activate the this policy.setCrlResources
(List<String> crlResources) List of CRL resources to use for fetching.setCrlResourceUnavailablePolicy
(String crlResourceUnavailablePolicy) If the CRL resource is unavailable, activate the this policy.setCrlUnavailablePolicy
(String crlUnavailablePolicy) If the CRL is unavailable, activate the this policy.setExtractCert
(boolean extractCert) Whether to extract certificate from request.setLdap
(X509LdapProperties ldap) LDAP settings when fetching CRLs from LDAP.setMaxPathLength
(int maxPathLength) Deployer supplied setting for maximum pathLength in a SUPPLIED certificate.setMaxPathLengthAllowUnspecified
(boolean maxPathLengthAllowUnspecified) Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate.setMixedMode
(boolean mixedMode) Determine whether X509 authentication should allow other forms of authentication such as username/password.The authentication handler name.setOrder
(int order) The order of the authentication handler in the chain.Principal resolution properties.setPrincipalDescriptor
(String principalDescriptor) The principal descriptor used for principal resolution when type is set toX509Properties.PrincipalTypes.SUBJECT
.setPrincipalTransformation
(PrincipalTransformationProperties principalTransformation) Principal transformation properties.setPrincipalType
(X509Properties.PrincipalTypes principalType) Indicates the type of principal resolution for X509.setRefreshIntervalSeconds
(int refreshIntervalSeconds) The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources.setRegExSubjectDnPattern
(String regExSubjectDnPattern) The pattern that authorizes an acceptable certificate by its subject dn.setRegExTrustedIssuerDnPattern
(String regExTrustedIssuerDnPattern) The compiled pattern supplied by the deployer.setRequireKeyUsage
(boolean requireKeyUsage) Deployer supplied setting to force require the correct KeyUsage extension.setRevocationChecker
(String revocationChecker) Revocation certificate checking can be carried out in one of the following ways:NONE
: No revocation is performed.CRL
: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field.setRevocationPolicyThreshold
(int revocationPolicyThreshold) Threshold value if expired CRL revocation policy is to be handled via threshold.setRfc822Email
(Rfc822EmailPrincipalResolverProperties rfc822Email) Principal resolver properties for RFC822_EMAIL resolver type.Principal resolver properties for SERIAL_NO resolver type.setSerialNoDn
(SerialNoDnPrincipalResolverProperties serialNoDn) Principal resolver properties for SERIAL_NO_DN resolver type.setSslHeaderName
(String sslHeaderName) The name of the header to consult for an X509 cert (e.g.setSubjectAltName
(SubjectAltNamePrincipalResolverProperties subjectAltName) Principal resolver properties for SUBJECT_ALT_NAME resolver type.setSubjectDn
(SubjectDnPrincipalResolverProperties subjectDn) Principal resolver properties for SUBJECT_DN resolver type.setThrowOnFetchFailure
(boolean throwOnFetchFailure) When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors.The webflow configuration.
-
Constructor Details
-
X509Properties
public X509Properties()
-
-
Method Details
-
getRevocationPolicyThreshold
public int getRevocationPolicyThreshold()Threshold value if expired CRL revocation policy is to be handled via threshold. -
isCheckAll
public boolean isCheckAll()Whether revocation checking should check all resources, or stop at first one. -
getRefreshIntervalSeconds
public int getRefreshIntervalSeconds()The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources. -
getPrincipalDescriptor
The principal descriptor used for principal resolution when type is set toX509Properties.PrincipalTypes.SUBJECT
. -
isThrowOnFetchFailure
public boolean isThrowOnFetchFailure()When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors. -
getPrincipalType
Indicates the type of principal resolution for X509. -
getRevocationChecker
Revocation certificate checking can be carried out in one of the following ways:NONE
: No revocation is performed.CRL
: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field. Caches are available to prevent excessive IO against CRL endpoints. CRL data is fetched if does not exist in the cache or if it is expired.RESOURCE
: A CRL hosted at a fixed location. The CRL is fetched at periodic intervals and cached.
-
getCrlFetcher
Options to describe how to fetch CRL resources.To fetch CRLs, the following options are available:
RESOURCE
: By default, all revocation checks use fixed resources to fetch the CRL resource from the specified location.LDAP
: A CRL resource may be fetched from a pre-configured attribute, in the event that the CRL resource location is an LDAP URI.
-
getCrlResources
List of CRL resources to use for fetching. -
getCacheMaxElementsInMemory
public int getCacheMaxElementsInMemory()When CRLs are cached, indicate maximum number of elements kept in memory. -
isMixedMode
public boolean isMixedMode()Determine whether X509 authentication should allow other forms of authentication such as username/password. If this setting is turned off, typically the ability to view the login form as the primary form of authentication is turned off. -
getCacheTimeToLiveSeconds
When CRLs are cached, indicate the time-to-live of cache items. -
getCrlResourceExpiredPolicy
If the CRL resource has expired, activate the this policy. Activated ifrevocationChecker
isRESOURCE
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
getCrlExpiredPolicy
If the CRL has expired, activate the this policy. Activated ifrevocationChecker
isCRL
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
-
getPrincipal
Principal resolution properties. -
getLdap
LDAP settings when fetching CRLs from LDAP. -
getRegExTrustedIssuerDnPattern
The compiled pattern supplied by the deployer. -
getMaxPathLength
public int getMaxPathLength()Deployer supplied setting for maximum pathLength in a SUPPLIED certificate. -
isMaxPathLengthAllowUnspecified
public boolean isMaxPathLengthAllowUnspecified()Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate. -
isCheckKeyUsage
public boolean isCheckKeyUsage()Deployer supplied setting to check the KeyUsage extension. -
isRequireKeyUsage
public boolean isRequireKeyUsage()Deployer supplied setting to force require the correct KeyUsage extension. -
getRegExSubjectDnPattern
The pattern that authorizes an acceptable certificate by its subject dn. -
getName
The authentication handler name. -
getOrder
public int getOrder()The order of the authentication handler in the chain. -
isExtractCert
public boolean isExtractCert()Whether to extract certificate from request. The default implementation extracts certificate from header via Tomcat SSLValve parsing logic and using theDEFAULT_CERT_HEADER_NAME
header. Must be false by default because if someone enables it they need to make sure they are behind proxy that won't let the header arrive directly from the browser. -
getSslHeaderName
The name of the header to consult for an X509 cert (e.g. when behind proxy). -
getSubjectDn
Principal resolver properties for SUBJECT_DN resolver type. -
getCnEdipi
Principal resolver properties for CN_EDIPI resolver type. -
getSubjectAltName
Principal resolver properties for SUBJECT_ALT_NAME resolver type. -
getRfc822Email
Principal resolver properties for RFC822_EMAIL resolver type. -
getSerialNoDn
Principal resolver properties for SERIAL_NO_DN resolver type. -
getSerialNo
Principal resolver properties for SERIAL_NO resolver type. -
getWebflow
The webflow configuration. -
getPrincipalTransformation
Principal transformation properties. -
setRevocationPolicyThreshold
Threshold value if expired CRL revocation policy is to be handled via threshold.- Returns:
this
.
-
setCheckAll
Whether revocation checking should check all resources, or stop at first one.- Returns:
this
.
-
setRefreshIntervalSeconds
The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources.- Returns:
this
.
-
setPrincipalDescriptor
The principal descriptor used for principal resolution when type is set toX509Properties.PrincipalTypes.SUBJECT
.- Returns:
this
.
-
setThrowOnFetchFailure
When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors.- Returns:
this
.
-
setPrincipalType
Indicates the type of principal resolution for X509.- Returns:
this
.
-
setRevocationChecker
Revocation certificate checking can be carried out in one of the following ways:NONE
: No revocation is performed.CRL
: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field. Caches are available to prevent excessive IO against CRL endpoints. CRL data is fetched if does not exist in the cache or if it is expired.RESOURCE
: A CRL hosted at a fixed location. The CRL is fetched at periodic intervals and cached.
- Returns:
this
.
-
setCrlFetcher
Options to describe how to fetch CRL resources.To fetch CRLs, the following options are available:
RESOURCE
: By default, all revocation checks use fixed resources to fetch the CRL resource from the specified location.LDAP
: A CRL resource may be fetched from a pre-configured attribute, in the event that the CRL resource location is an LDAP URI.
- Returns:
this
.
-
setCrlResources
List of CRL resources to use for fetching.- Returns:
this
.
-
setCacheMaxElementsInMemory
When CRLs are cached, indicate maximum number of elements kept in memory.- Returns:
this
.
-
setMixedMode
Determine whether X509 authentication should allow other forms of authentication such as username/password. If this setting is turned off, typically the ability to view the login form as the primary form of authentication is turned off.- Returns:
this
.
-
setCacheTimeToLiveSeconds
When CRLs are cached, indicate the time-to-live of cache items.- Returns:
this
.
-
setCrlResourceExpiredPolicy
If the CRL resource has expired, activate the this policy. Activated ifrevocationChecker
isRESOURCE
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
- Returns:
this
.
-
setCrlExpiredPolicy
If the CRL has expired, activate the this policy. Activated ifrevocationChecker
isCRL
. Accepted values are:ALLOW
: Allow authentication to proceed.DENY
: Deny authentication and block.THRESHOLD
: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
- Returns:
this
.
-
setPrincipal
Principal resolution properties.- Returns:
this
.
-
setLdap
LDAP settings when fetching CRLs from LDAP.- Returns:
this
.
-
setRegExTrustedIssuerDnPattern
The compiled pattern supplied by the deployer.- Returns:
this
.
-
setMaxPathLength
Deployer supplied setting for maximum pathLength in a SUPPLIED certificate.- Returns:
this
.
-
setMaxPathLengthAllowUnspecified
Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate.- Returns:
this
.
-
setCheckKeyUsage
Deployer supplied setting to check the KeyUsage extension.- Returns:
this
.
-
setRequireKeyUsage
Deployer supplied setting to force require the correct KeyUsage extension.- Returns:
this
.
-
setRegExSubjectDnPattern
The pattern that authorizes an acceptable certificate by its subject dn.- Returns:
this
.
-
setName
The authentication handler name.- Returns:
this
.
-
setOrder
The order of the authentication handler in the chain.- Returns:
this
.
-
setExtractCert
Whether to extract certificate from request. The default implementation extracts certificate from header via Tomcat SSLValve parsing logic and using theDEFAULT_CERT_HEADER_NAME
header. Must be false by default because if someone enables it they need to make sure they are behind proxy that won't let the header arrive directly from the browser.- Returns:
this
.
-
setSslHeaderName
The name of the header to consult for an X509 cert (e.g. when behind proxy).- Returns:
this
.
-
setSubjectDn
Principal resolver properties for SUBJECT_DN resolver type.- Returns:
this
.
-
setCnEdipi
Principal resolver properties for CN_EDIPI resolver type.- Returns:
this
.
-
setSubjectAltName
Principal resolver properties for SUBJECT_ALT_NAME resolver type.- Returns:
this
.
-
setRfc822Email
Principal resolver properties for RFC822_EMAIL resolver type.- Returns:
this
.
-
setSerialNoDn
Principal resolver properties for SERIAL_NO_DN resolver type.- Returns:
this
.
-
setSerialNo
Principal resolver properties for SERIAL_NO resolver type.- Returns:
this
.
-
setWebflow
The webflow configuration.- Returns:
this
.
-
setPrincipalTransformation
public X509Properties setPrincipalTransformation(PrincipalTransformationProperties principalTransformation) Principal transformation properties.- Returns:
this
.
-