org.apereo.cas.adaptors.x509.authentication.handler.support

Class CRLDistributionPointRevocationChecker

java.lang.Object

org.apereo.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker

org.apereo.cas.adaptors.x509.authentication.handler.support.CRLDistributionPointRevocationChecker

All Implemented Interfaces:

RevocationChecker

@RefreshScope
 @Component(value="crlDistributionPointRevocationChecker")
public class CRLDistributionPointRevocationChecker
extends AbstractCRLRevocationChecker

Performs CRL-based revocation checking by consulting resources defined in the CRLDistributionPoints extension field on the certificate. Although RFC 2459 allows the distribution point name to have arbitrary meaning, this class expects the name to define an absolute URL, which is the most common implementation. This implementation caches CRL resources fetched from remote URLs to improve performance by avoiding CRL fetching on every revocation check.

Since:

3.4.6

Field Summary

Fields inherited from class org.apereo.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker

checkAll, logger

Constructor Summary

Constructors

Constructor and Description
CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache) Creates a new instance that uses the given cache instance for CRL caching.
CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache, boolean throwOnFetchFailure) Creates a new instance that uses the given cache instance for CRL caching.
CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache, CRLFetcher fetcher) Instantiates a new CRL distribution point revocation checker.

Method Summary

Modifier and Type	Method and Description
protected boolean	addCRL(java.lang.Object id, java.security.cert.X509CRL crl) Records the addition of a new CRL entry.
protected java.util.List<java.security.cert.X509CRL>	getCRLs(java.security.cert.X509Certificate cert) Gets the collection of CRLs for the given certificate.
void	setExpiredCRLPolicy(RevocationPolicy policy) Sets the policy to apply when CRL data is expired.
void	setThrowOnFetchFailure(boolean throwOnFetchFailure) Throws exceptions if fetching crl fails.
void	setUnavailableCRLPolicy(RevocationPolicy policy) Sets the policy to apply when CRL data is unavailable.

Methods inherited from class org.apereo.cas.adaptors.x509.authentication.handler.support.AbstractCRLRevocationChecker

check, getCRL, getExpiredCRLPolicy, getUnavailableCRLPolicy, init, setCheckAll

Methods inherited from class java.lang.Object

clone, equals, finalize, getClass, hashCode, notify, notifyAll, toString, wait, wait, wait

Constructor Detail

CRLDistributionPointRevocationChecker

public CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache)

Creates a new instance that uses the given cache instance for CRL caching.

Parameters:

crlCache - Cache for CRL data.

CRLDistributionPointRevocationChecker

public CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache,
                                             boolean throwOnFetchFailure)

Creates a new instance that uses the given cache instance for CRL caching.

Parameters:

crlCache - Cache for CRL data.

throwOnFetchFailure - the throw on fetch failure

CRLDistributionPointRevocationChecker

public CRLDistributionPointRevocationChecker(net.sf.ehcache.Cache crlCache,
                                             CRLFetcher fetcher)

Instantiates a new CRL distribution point revocation checker.

Parameters:

crlCache - the crl cache

fetcher - the fetcher

Method Detail

setThrowOnFetchFailure

@Autowired
public void setThrowOnFetchFailure(@Value(value="${cas.x509.authn.crl.throw.failure:false}")
                                               boolean throwOnFetchFailure)

Throws exceptions if fetching crl fails. Defaults to false.

Parameters:

throwOnFetchFailure - the throw on fetch failure

getCRLs

protected java.util.List<java.security.cert.X509CRL> getCRLs(java.security.cert.X509Certificate cert)

Gets the collection of CRLs for the given certificate.

Specified by:

getCRLs in class AbstractCRLRevocationChecker

Parameters:

cert - Certificate for which the CRL of the issuing CA should be retrieved.

Returns:

CRLs for given cert.

See Also:

AbstractCRLRevocationChecker.getCRL(X509Certificate)

addCRL

protected boolean addCRL(java.lang.Object id,
                         java.security.cert.X509CRL crl)

Description copied from class: AbstractCRLRevocationChecker

Records the addition of a new CRL entry.

Specified by:

addCRL in class AbstractCRLRevocationChecker

Parameters:

id - the id of the entry to keep track of

crl - new CRL entry

Returns:

true if the entry was added successfully.

setUnavailableCRLPolicy

@Autowired(required=false)
public void setUnavailableCRLPolicy(@Qualifier(value="x509CrlUnavailableRevocationPolicy")
                                                                RevocationPolicy policy)

Description copied from class: AbstractCRLRevocationChecker

Sets the policy to apply when CRL data is unavailable.

Overrides:

setUnavailableCRLPolicy in class AbstractCRLRevocationChecker

Parameters:

policy - Revocation policy.

setExpiredCRLPolicy

@Autowired(required=false)
public void setExpiredCRLPolicy(@Qualifier(value="x509CrlExpiredRevocationPolicy")
                                                            RevocationPolicy policy)

Description copied from class: AbstractCRLRevocationChecker

Sets the policy to apply when CRL data is expired.

Overrides:

setExpiredCRLPolicy in class AbstractCRLRevocationChecker

Parameters:

policy - Revocation policy.