Closed
Description
Description
For example from version 1.11.6 of nginx (http://nginx.org/en/docs/http/ngx_http_ssl_module.html#variables) default format of "distinguished name" uses RFC 2253 (https://tools.ietf.org/html/rfc2253)
k8s nginx ingress uses it as well.
Example
nginx:
$ssl_client_s_dn => emailAddress=developer@example.com,CN=symfony.com
$ssl_client_s_dn_legacy => /emailAddress=developer@example.com/CN=symfony.com
Condition must be modified (add regex):
namespace Symfony\Component\Security\Http\Firewall;
// ...
class X509AuthenticationListener extends AbstractPreAuthenticatedListener
{
// ...
/**
* {@inheritdoc}
*/
protected function getPreAuthenticatedData(Request $request)
{
$user = null;
if ($request->server->has($this->userKey)) {
$user = $request->server->get($this->userKey);
} elseif ($request->server->has($this->credentialKey) && preg_match('#/emailAddress=(.+\@.+\..+)(/|$)#', $request->server->get($this->credentialKey), $matches)) {
$user = $matches[1];
}
if (null === $user) {
throw new BadCredentialsException(sprintf('SSL credentials not found: %s, %s', $this->userKey, $this->credentialKey));
}
return [$user, $request->server->get($this->credentialKey, '')];
}
}```