**Currently We can have Spring Security filters utilized in order to perform 2WayTLS with CN name validations for user authorizations, but it's difficult to do the same for all the trusted CN names **
2WayTLS Steps -
1) Client Sends Request 2) Server represents Certificate If the presented certificate or the signer CA is trusted by the client, it trusts the server (Also there is one DNS matching which is subjective) 3) Server asks for a certificate from the client 4) Client represent the certificate 5) If CA is trusted by the server, the handshake is complete (This step I want to put strict validation against trusting the leaf cert instead of just CA check)
There is one way to do step 5, using authorization mechanisms in spring security, by providing CN name extraction and then comparing it, but there is no convenient way of doing it, it requires to import entire security layer and manually parse each cert,
Can't we just have yaml property like client-auth: need to make it more obvious to perform the CN name validation for leaf-level verification (trusting only if certificates public key is trusted and not trust even when signing CA is trusted)
this is needed as same signer can be used for many certs and it causes unauthorized access if we only use 2 Way tls as auth mechanism
Comment From: venkatesh010
Any assignment for this please?
Comment From: wagnerluis1982
I'd love to work on that. Although I don't know if I can do fast. I will check on the weekend.
Any tip of which classes/tests should I touch?
Comment From: venkatesh010
@rwinch any place to start with this?, Actually I'm not able to find the handler
Comment From: venkatesh010
Any update or milestone or flaw in this issue Please let me know Or any suggestions for PR would also help