cxf-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fred Dushin <>
Subject Re: Http Authentication Policy
Date Fri, 09 Mar 2007 18:43:02 GMT

On Mar 9, 2007, at 12:44 PM, Daniel Kulp wrote:

> The AuthenticationPolicy object can be
> created programatically and passed in via the message properties.    
> If the
> object is available on the message, it's used.   Likewise for all the
> SSLClientPolicy.

Slightly orthogonal, but the SSLClient policy [sic] is deficient in  
that it only supports a URL specification of key material -- so it  
basically has to be on the file system.  (Not a logical requirement,  
but a current implementation constraint).  The security implications  
of loading keys off an http URL are "outside of the scope of this  
paper" :)

I'd like to see judicious use of a ClassLoader, and Java code that  
does key material retrieval.  Gives you the opportunity to get keys  
programatically from somewhere other than a file.

Something as simple as

interface KeyRetrievalMechanism { getKeyStore();

where a is just a canonical representation of  
key/certificate material.  Default impls can read off the filesystem.

This would let you (or your clients) hook into something like the  
CDSA [1] with relative ease.

[1] Cf., open  
source version available at 


View raw message