CDAP-7287 we added a way to allow TLS authentication of CDAP clients. The custom handler doing TLS authentication needs access to keystore (and its password) to verify the client certificates.
Today AbstractAuthenticationHandler does not have a way to pass secure configuration to custom authentication handlers. Hence keystore and its password will have to be specified in a world-readable cdap-site.xml file. It would be good to have a way to pass the secure configuration from cdap-security.xml to authentication handlers.