"Want" two-way-ssl not containing SSL-Certificate is not checkable due to contract violation [SPR-16842]

[spring-projects-issues]

Henning Vogt opened SPR-16842 and commented

Hi,
If two-way-ssl is on "want" mode (as opposed to the stricter "need"), and client does not deliver a certificate, getSslInfo() does not work, since init method fails:

java.lang.IllegalArgumentException: No SSL certificates
	at org.springframework.util.Assert.notNull(Assert.java:193)
	at org.springframework.http.server.reactive.DefaultSslInfo.<init>(DefaultSslInfo.java:44)
	at org.springframework.http.server.reactive.ServletServerHttpRequest.initSslInfo(ServletServerHttpRequest.java:190)
	at org.springframework.http.server.reactive.AbstractServerHttpRequest.getSslInfo(AbstractServerHttpRequest.java:162)

...but according to the description, it's supposed to work:

/**
 * Return the SSL session information if the request has been transmitted
 * over a secure protocol including SSL certificates, if available.
 * @return the session information, or \{@code null} if none available
 * @since 5.0.2 */
 @Nullable default SslInfo getSslInfo() \{ return null; }

 

---

Affects: 5.0.5

Issue Links:

• With two-way-ssl exchange.getRequest().getSslInfo() always null [SPR-16507] #21050 With two-way-ssl exchange.getRequest().getSslInfo() always null

Referenced from: commits 1e4a3a2, a158ff4

[spring-projects-issues]

Rossen Stoyanchev commented

What would you expect in this case, null SslInfo, or SslInfo with null peerCertificates?

[spring-projects-issues]

Henning Vogt commented

I'd expect null SslInfo, that's how I interpreted the documentation on first reading.

returning an Optional could make sense, too, but that would change the interface a bit too much, I think.