Package org.apereo.cas.configuration.model.support.x509

Class X509Properties

java.lang.Object
org.apereo.cas.configuration.model.support.x509.X509Properties
All Implemented Interfaces:
Serializable
@RequiresModule(name="cas-server-support-x509-webflow") public class X509Properties extends Object implements Serializable
This is X509Properties.
Since:
5.0.0
See Also:

  • Constructor Details

    • X509Properties

      public X509Properties()

  • Method Details

    • getRevocationPolicyThreshold

      public int getRevocationPolicyThreshold()
      Threshold value if expired CRL revocation policy is to be handled via threshold.

    • isCheckAll

      public boolean isCheckAll()
      Whether revocation checking should check all resources, or stop at first one.

    • getRefreshIntervalSeconds

      public int getRefreshIntervalSeconds()
      The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources.

    • getPrincipalDescriptor

      public String getPrincipalDescriptor()
      The principal descriptor used for principal resolution when type is set to X509Properties.PrincipalTypes.SUBJECT.

    • isThrowOnFetchFailure

      public boolean isThrowOnFetchFailure()
      When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors.

    • getPrincipalType

      public X509Properties.PrincipalTypes getPrincipalType()
      Indicates the type of principal resolution for X509.

    • getRevocationChecker

      public String getRevocationChecker()
      Revocation certificate checking can be carried out in one of the following ways:
      • NONE: No revocation is performed.
      • CRL: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field. Caches are available to prevent excessive IO against CRL endpoints. CRL data is fetched if does not exist in the cache or if it is expired.
      • RESOURCE: A CRL hosted at a fixed location. The CRL is fetched at periodic intervals and cached.

    • getCrlFetcher

      public String getCrlFetcher()
      Options to describe how to fetch CRL resources.

      To fetch CRLs, the following options are available:

      • RESOURCE: By default, all revocation checks use fixed resources to fetch the CRL resource from the specified location.
      • LDAP: A CRL resource may be fetched from a pre-configured attribute, in the event that the CRL resource location is an LDAP URI.

    • getCrlResources

      public List<String> getCrlResources()
      List of CRL resources to use for fetching.

    • getCacheMaxElementsInMemory

      public int getCacheMaxElementsInMemory()
      When CRLs are cached, indicate maximum number of elements kept in memory.

    • isMixedMode

      public boolean isMixedMode()
      Determine whether X509 authentication should allow other forms of authentication such as username/password. If this setting is turned off, typically the ability to view the login form as the primary form of authentication is turned off.

    • getCacheTimeToLiveSeconds

      public String getCacheTimeToLiveSeconds()
      When CRLs are cached, indicate the time-to-live of cache items.

    • getCrlResourceUnavailablePolicy

      public String getCrlResourceUnavailablePolicy()
      If the CRL resource is unavailable, activate the this policy. Activated if revocationChecker is RESOURCE. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.

    • getCrlResourceExpiredPolicy

      public String getCrlResourceExpiredPolicy()
      If the CRL resource has expired, activate the this policy. Activated if revocationChecker is RESOURCE. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.

    • getCrlUnavailablePolicy

      public String getCrlUnavailablePolicy()
      If the CRL is unavailable, activate the this policy. Activated if revocationChecker is CRL. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.

    • getCrlExpiredPolicy

      public String getCrlExpiredPolicy()
      If the CRL has expired, activate the this policy. Activated if revocationChecker is CRL. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.

    • getPrincipal

      public PersonDirectoryPrincipalResolverProperties getPrincipal()
      Principal resolution properties.

    • getLdap

      public X509LdapProperties getLdap()
      LDAP settings when fetching CRLs from LDAP.

    • getRegExTrustedIssuerDnPattern

      public String getRegExTrustedIssuerDnPattern()
      The compiled pattern supplied by the deployer.

    • getMaxPathLength

      public int getMaxPathLength()
      Deployer supplied setting for maximum pathLength in a SUPPLIED certificate.

    • isMaxPathLengthAllowUnspecified

      public boolean isMaxPathLengthAllowUnspecified()
      Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate.

    • isCheckKeyUsage

      public boolean isCheckKeyUsage()
      Deployer supplied setting to check the KeyUsage extension.

    • isRequireKeyUsage

      public boolean isRequireKeyUsage()
      Deployer supplied setting to force require the correct KeyUsage extension.

    • getRegExSubjectDnPattern

      public String getRegExSubjectDnPattern()
      The pattern that authorizes an acceptable certificate by its subject dn.

    • getName

      public String getName()
      The authentication handler name.

    • getOrder

      public int getOrder()
      The order of the authentication handler in the chain.

    • isExtractCert

      public boolean isExtractCert()
      Whether to extract certificate from request. The default implementation extracts certificate from header via Tomcat SSLValve parsing logic and using the DEFAULT_CERT_HEADER_NAME header. Must be false by default because if someone enables it they need to make sure they are behind proxy that won't let the header arrive directly from the browser.

    • getSslHeaderName

      public String getSslHeaderName()
      The name of the header to consult for an X509 cert (e.g. when behind proxy).

    • getSubjectDn

      public SubjectDnPrincipalResolverProperties getSubjectDn()
      Principal resolver properties for SUBJECT_DN resolver type.

    • getCnEdipi

      public CnEdipiPrincipalResolverProperties getCnEdipi()
      Principal resolver properties for CN_EDIPI resolver type.

    • getSubjectAltName

      public SubjectAltNamePrincipalResolverProperties getSubjectAltName()
      Principal resolver properties for SUBJECT_ALT_NAME resolver type.

    • getRfc822Email

      public Rfc822EmailPrincipalResolverProperties getRfc822Email()
      Principal resolver properties for RFC822_EMAIL resolver type.

    • getSerialNoDn

      public SerialNoDnPrincipalResolverProperties getSerialNoDn()
      Principal resolver properties for SERIAL_NO_DN resolver type.

    • getSerialNo

      public SerialNoPrincipalResolverProperties getSerialNo()
      Principal resolver properties for SERIAL_NO resolver type.

    • getWebflow

      public X509WebflowAutoConfigurationProperties getWebflow()
      The webflow configuration.

    • getPrincipalTransformation

      public PrincipalTransformationProperties getPrincipalTransformation()
      Principal transformation properties.

    • setRevocationPolicyThreshold

      public X509Properties setRevocationPolicyThreshold(int revocationPolicyThreshold)
      Threshold value if expired CRL revocation policy is to be handled via threshold.
      Returns:
      this.

    • setCheckAll

      public X509Properties setCheckAll(boolean checkAll)
      Whether revocation checking should check all resources, or stop at first one.
      Returns:
      this.

    • setRefreshIntervalSeconds

      public X509Properties setRefreshIntervalSeconds(int refreshIntervalSeconds)
      The refresh interval of the internal scheduler in cases where CRL revocation checking is done via resources.
      Returns:
      this.

    • setPrincipalDescriptor

      public X509Properties setPrincipalDescriptor(String principalDescriptor)
      The principal descriptor used for principal resolution when type is set to X509Properties.PrincipalTypes.SUBJECT.
      Returns:
      this.

    • setThrowOnFetchFailure

      public X509Properties setThrowOnFetchFailure(boolean throwOnFetchFailure)
      When CRL revocation checking is done via distribution points, decide if fetch failures should throw errors.
      Returns:
      this.

    • setPrincipalType

      public X509Properties setPrincipalType(X509Properties.PrincipalTypes principalType)
      Indicates the type of principal resolution for X509.
      Returns:
      this.

    • setRevocationChecker

      public X509Properties setRevocationChecker(String revocationChecker)
      Revocation certificate checking can be carried out in one of the following ways:
      • NONE: No revocation is performed.
      • CRL: The CRL URI(s) mentioned in the certificate cRLDistributionPoints extension field. Caches are available to prevent excessive IO against CRL endpoints. CRL data is fetched if does not exist in the cache or if it is expired.
      • RESOURCE: A CRL hosted at a fixed location. The CRL is fetched at periodic intervals and cached.
      Returns:
      this.

    • setCrlFetcher

      public X509Properties setCrlFetcher(String crlFetcher)
      Options to describe how to fetch CRL resources.

      To fetch CRLs, the following options are available:

      • RESOURCE: By default, all revocation checks use fixed resources to fetch the CRL resource from the specified location.
      • LDAP: A CRL resource may be fetched from a pre-configured attribute, in the event that the CRL resource location is an LDAP URI.
      Returns:
      this.

    • setCrlResources

      public X509Properties setCrlResources(List<String> crlResources)
      List of CRL resources to use for fetching.
      Returns:
      this.

    • setCacheMaxElementsInMemory

      public X509Properties setCacheMaxElementsInMemory(int cacheMaxElementsInMemory)
      When CRLs are cached, indicate maximum number of elements kept in memory.
      Returns:
      this.

    • setMixedMode

      public X509Properties setMixedMode(boolean mixedMode)
      Determine whether X509 authentication should allow other forms of authentication such as username/password. If this setting is turned off, typically the ability to view the login form as the primary form of authentication is turned off.
      Returns:
      this.

    • setCacheTimeToLiveSeconds

      public X509Properties setCacheTimeToLiveSeconds(String cacheTimeToLiveSeconds)
      When CRLs are cached, indicate the time-to-live of cache items.
      Returns:
      this.

    • setCrlResourceUnavailablePolicy

      public X509Properties setCrlResourceUnavailablePolicy(String crlResourceUnavailablePolicy)
      If the CRL resource is unavailable, activate the this policy. Activated if revocationChecker is RESOURCE. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
      Returns:
      this.

    • setCrlResourceExpiredPolicy

      public X509Properties setCrlResourceExpiredPolicy(String crlResourceExpiredPolicy)
      If the CRL resource has expired, activate the this policy. Activated if revocationChecker is RESOURCE. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
      Returns:
      this.

    • setCrlUnavailablePolicy

      public X509Properties setCrlUnavailablePolicy(String crlUnavailablePolicy)
      If the CRL is unavailable, activate the this policy. Activated if revocationChecker is CRL. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
      Returns:
      this.

    • setCrlExpiredPolicy

      public X509Properties setCrlExpiredPolicy(String crlExpiredPolicy)
      If the CRL has expired, activate the this policy. Activated if revocationChecker is CRL. Accepted values are:
      • ALLOW: Allow authentication to proceed.
      • DENY: Deny authentication and block.
      • THRESHOLD: Applicable to CRL expiration, throttle the request whereby expired data is permitted up to a threshold period of time but not afterward.
      Returns:
      this.

    • setPrincipal

      public X509Properties setPrincipal(PersonDirectoryPrincipalResolverProperties principal)
      Principal resolution properties.
      Returns:
      this.

    • setLdap

      public X509Properties setLdap(X509LdapProperties ldap)
      LDAP settings when fetching CRLs from LDAP.
      Returns:
      this.

    • setRegExTrustedIssuerDnPattern

      public X509Properties setRegExTrustedIssuerDnPattern(String regExTrustedIssuerDnPattern)
      The compiled pattern supplied by the deployer.
      Returns:
      this.

    • setMaxPathLength

      public X509Properties setMaxPathLength(int maxPathLength)
      Deployer supplied setting for maximum pathLength in a SUPPLIED certificate.
      Returns:
      this.

    • setMaxPathLengthAllowUnspecified

      public X509Properties setMaxPathLengthAllowUnspecified(boolean maxPathLengthAllowUnspecified)
      Deployer supplied setting to allow unlimited pathLength in a SUPPLIED certificate.
      Returns:
      this.

    • setCheckKeyUsage

      public X509Properties setCheckKeyUsage(boolean checkKeyUsage)
      Deployer supplied setting to check the KeyUsage extension.
      Returns:
      this.

    • setRequireKeyUsage

      public X509Properties setRequireKeyUsage(boolean requireKeyUsage)
      Deployer supplied setting to force require the correct KeyUsage extension.
      Returns:
      this.

    • setRegExSubjectDnPattern

      public X509Properties setRegExSubjectDnPattern(String regExSubjectDnPattern)
      The pattern that authorizes an acceptable certificate by its subject dn.
      Returns:
      this.

    • setName

      public X509Properties setName(String name)
      The authentication handler name.
      Returns:
      this.

    • setOrder

      public X509Properties setOrder(int order)
      The order of the authentication handler in the chain.
      Returns:
      this.

    • setExtractCert

      public X509Properties setExtractCert(boolean extractCert)
      Whether to extract certificate from request. The default implementation extracts certificate from header via Tomcat SSLValve parsing logic and using the DEFAULT_CERT_HEADER_NAME header. Must be false by default because if someone enables it they need to make sure they are behind proxy that won't let the header arrive directly from the browser.
      Returns:
      this.

    • setSslHeaderName

      public X509Properties setSslHeaderName(String sslHeaderName)
      The name of the header to consult for an X509 cert (e.g. when behind proxy).
      Returns:
      this.

    • setSubjectDn

      public X509Properties setSubjectDn(SubjectDnPrincipalResolverProperties subjectDn)
      Principal resolver properties for SUBJECT_DN resolver type.
      Returns:
      this.

    • setCnEdipi

      public X509Properties setCnEdipi(CnEdipiPrincipalResolverProperties cnEdipi)
      Principal resolver properties for CN_EDIPI resolver type.
      Returns:
      this.

    • setSubjectAltName

      public X509Properties setSubjectAltName(SubjectAltNamePrincipalResolverProperties subjectAltName)
      Principal resolver properties for SUBJECT_ALT_NAME resolver type.
      Returns:
      this.

    • setRfc822Email

      public X509Properties setRfc822Email(Rfc822EmailPrincipalResolverProperties rfc822Email)
      Principal resolver properties for RFC822_EMAIL resolver type.
      Returns:
      this.

    • setSerialNoDn

      public X509Properties setSerialNoDn(SerialNoDnPrincipalResolverProperties serialNoDn)
      Principal resolver properties for SERIAL_NO_DN resolver type.
      Returns:
      this.

    • setSerialNo

      public X509Properties setSerialNo(SerialNoPrincipalResolverProperties serialNo)
      Principal resolver properties for SERIAL_NO resolver type.
      Returns:
      this.

    • setWebflow

      public X509Properties setWebflow(X509WebflowAutoConfigurationProperties webflow)
      The webflow configuration.
      Returns:
      this.

    • setPrincipalTransformation

      public X509Properties setPrincipalTransformation(PrincipalTransformationProperties principalTransformation)
      Principal transformation properties.
      Returns:
      this.