cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <f...@dushin.net>
Subject Re: Http Authentication Policy
Date Fri, 09 Mar 2007 18:43:02 GMT

On Mar 9, 2007, at 12:44 PM, Daniel Kulp wrote:

> The AuthenticationPolicy object can be
> created programatically and passed in via the message properties.    
> If the
> object is available on the message, it's used.   Likewise for all the
> SSLClientPolicy.

Slightly orthogonal, but the SSLClient policy [sic] is deficient in  
that it only supports a URL specification of key material -- so it  
basically has to be on the file system.  (Not a logical requirement,  
but a current implementation constraint).  The security implications  
of loading keys off an http URL are "outside of the scope of this  
paper" :)

I'd like to see judicious use of a ClassLoader, and Java code that  
does key material retrieval.  Gives you the opportunity to get keys  
programatically from somewhere other than a file.

Something as simple as

interface KeyRetrievalMechanism {

     java.security.Keystore getKeyStore();
}

where a java.security.Keystore is just a canonical representation of  
key/certificate material.  Default impls can read off the filesystem.

This would let you (or your clients) hook into something like the  
CDSA [1] with relative ease.

[1] Cf. http://www.opengroup.org/publications/catalog/c914.htm, open  
source version available at http://developer.apple.com/opensource/ 
security/index.html

-Fred

Mime
View raw message