X509RestHttpRequestCredentialFactory

[Curtis Ruck]

Given the warning on https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication

I believe the REST X509 authentication is completely useless in a production environment.  It expects a POST with the cert=<certificate bytes>.  This doesn't validate the public/private key handshake that the certificate is actually provided.

I'd argue that the cas-server-support-rest-x509 should be removed as even a possibility.

The right answer, IMO, would be to modify the RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest request).  This would allow the X509RestHttpRequestCredentialFactory to pull the javax.servlet.request.X509Certificate from the request attribute, which would evaluate the public/private key handshake.

I'd like to submit a Pull Request for this change.  Any concerns I should be aware of?  I'd also like to backport it to 5.3.x at least (as I assume 6.0's GA is still a ways off).

[Curtis Ruck]

I submitted PR#3457 as my first PR.  Please be brutal with the feedback.

I thought about leaving the existing X509RestHttpRequestCredentialFactory, maybe renaming it, and creating a new one for the header functionality, and leave the conditional to the @Configuration class, but I figured getting the PR in first for feedback was more important that getting it right on the first attempt.