Given the warning on
https://apereo.github.io/cas/5.3.x/protocol/REST-Protocol.html#x509-authentication
I believe the REST X509 authentication is completely useless in a production environment. It expects a POST with the cert=<certificate bytes>. This doesn't validate the public/private key handshake that the certificate is actually provided.
I'd argue that the cas-server-support-rest-x509 should be removed as even a possibility.
The right answer, IMO, would be to modify the RestHttpRequestCredentialFactory to have a fromRequest(HttpServletRequest request). This would allow the X509RestHttpRequestCredentialFactory to pull the javax.servlet.request.X509Certificate from the request attribute, which would evaluate the public/private key handshake.
I'd like to submit a Pull Request for this change. Any concerns I should be aware of? I'd also like to backport it to 5.3.x at least (as I assume 6.0's GA is still a ways off).