shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: X509Certificate support
Date Thu, 06 May 2010 00:33:29 GMT
Thanks guys - please keep us posted.

On Wed, May 5, 2010 at 5:21 PM, Brian Demers <brian.demers@gmail.com> wrote:
> Last I heard the guy wanted to donate it, but MIT's lawyers got in the way.
>  There was interested from another school for this too.  I can ping the
> author to see if he had any luck and is still interested.
>
> Paul, post the jira when you get time to submit it, and I will pass it
> along.
>
>
> On Wed, May 5, 2010 at 6:01 PM, Les Hazlewood <lhazlewood@apache.org> wrote:
>
>> I totally agree - it'd be great to see what that Realm did and see if
>> there is synergy with Paul's work.  Brian, do you know if that Realm
>> could be donated to the project?  Is it available online somewhere
>> (e.g. under the MIT license?).
>>
>> - Les
>>
>> On Wed, May 5, 2010 at 7:12 AM, Brian Demers <brian.demers@gmail.com>
>> wrote:
>> > I know of another JSecurity X509 Realm, although the implementation
>> > was specific MIT's single sign on server.   So I think extracting any
>> common
>> > pieces would be great, even if it ends up in its own module i.e.
>> shiro-x509
>> >
>> >
>> > On Wed, May 5, 2010 at 6:04 AM, Paul Merlin <eskatos@n0pe.org> wrote:
>> >
>> >> Hi,
>> >>
>> >> For my own needs I wrote support of X509Certificate mutual
>> authentication
>> >> for
>> >> shiro and I will contribute it back.
>> >>
>> >> I implemented several CredentialMatchers :
>> >> - DN matching (but I think this is the poor's man mutual authentication
>> as
>> >> it
>> >> opens security vulnerabilities)
>> >> - certificate fingerprint matching (more robust IMHO)
>> >> - full PKIX path validation using a trusted certificates collection
>> >> provided by
>> >> the underling realm (really nice if you have several authorities and a
>> >> complex
>> >> security model)
>> >>
>> >> All theses are working fine.
>> >>
>> >> Obviously some code in my current implementation is a bit specific but I
>> >> think
>> >> that with some more work it will be usable as a generic implementation.
>> >>
>> >> All this needs several classes, so I think about extracting the code
>> from
>> >> my
>> >> project, packaging it as a standalone project depending on shiro so that
>> >> it's
>> >> easily testable without applying a complex patch. Les, do you have any
>> >> suggestions about this ?
>> >>
>> >> Cheers
>> >>
>> >> /Paul
>> >>
>> >>
>> >>
>> >
>>
>

Mime
View raw message