...
For more advanced control over this process, you need to perform additional steps, and add more complex Spring wiring involving the org.opensaml.security.httpclient.HttpClientSecurityParameters class, which provides a mechanism for using a TrustEngine to evaluate the server's certificate. There are a variety of TrustEngine implementations that can perform simple or advanced checks, but the critical difference is that they're contextual. That is, they can be applied to one component such that the rules it uses can be specific to that component alone and not the whole system.
...
| Note |
|---|
You need to be careful with this, because leaving out a step can introduce security holes. In particular, if you want an HttpClient bean to use the special TLSSocketFactory we provide that supports a TrustEngine, you MUST provide an HttpClientSecurityParameters instance to the component using the HttpClient bean to configure the security behavior you want. |
...
To use a TrustEngine, you need to define an an HttpClientSecurityParameters bean with a tLSTrustEngine property. While you can define any compatible object, the two most common cases are supported via a pair of factory beans:
...
TLS Client Authentication
...
Configuring a component using the HttpClient with a private key and certificate for authenticating itself to a server is a simple two step process:
- Make sure the HttpClient bean's
tLSSocketFactory-refproperty points to the shibboleth.SecurityEnhancedTLSSocketFactoryWithClientTLS bean. - Configure the component's injected HttpClientSecurityParameters instance's
clientTLSCredentialproperty with an X.509 credential.
HTTP Authentication
TBD
Reference
...