Accept signingCertificate and supportedSignatureAlgorithms only if requestSigningCert configuration is true.

aarmam · aarmam · commit 3bc2cf185715 · 2025-11-12T14:22:08.000+02:00
diff --git a/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java b/example/src/main/java/eu/webeid/example/security/WebEidAuthenticationProvider.java
@@ -43,7 +43,6 @@
 import java.security.cert.X509Certificate;
 import java.util.Collections;
 import java.util.List;
-import java.util.Optional;
 
 /**
  * Parses JWT from token string inside AuthTokenDTO and attempts authentication.
@@ -57,10 +56,12 @@ public class WebEidAuthenticationProvider implements AuthenticationProvider {
 
     private final AuthTokenValidator tokenValidator;
     private final ChallengeNonceStore challengeNonceStore;
+    private final boolean requireSigningCert;
 
     public WebEidAuthenticationProvider(AuthTokenValidator tokenValidator, ChallengeNonceStore challengeNonceStore, WebEidMobileProperties webEidMobileProperties) {
         this.tokenValidator = tokenValidator;
         this.challengeNonceStore = challengeNonceStore;
+        this.requireSigningCert = webEidMobileProperties.requestSigningCert();
     }
 
     @Override
@@ -75,12 +76,12 @@ public Authentication authenticate(Authentication auth) throws AuthenticationExc
         try {
             final String nonce = challengeNonceStore.getAndRemove().getBase64EncodedNonce();
             final X509Certificate userCertificate = tokenValidator.validate(authToken, nonce);
-            final String signingCertificate = Optional.ofNullable(authToken)
-                .map(WebEidAuthToken::getUnverifiedSigningCertificate)
-                .orElse(null);
-            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = Optional.ofNullable(authToken)
-                .map(WebEidAuthToken::getSupportedSignatureAlgorithms)
-                .orElse(null);
+            final String signingCertificate = requireSigningCert
+                ? authToken.getUnverifiedSigningCertificate()
+                : null;
+            final List<SupportedSignatureAlgorithm> supportedSignatureAlgorithms = requireSigningCert
+                ? authToken.getSupportedSignatureAlgorithms()
+                : null;
 
             return WebEidAuthentication.fromCertificate(userCertificate, signingCertificate, supportedSignatureAlgorithms, authorities);
         } catch (AuthTokenException e) {
