Return-Path: Delivered-To: apmail-incubator-shiro-dev-archive@www.apache.org Received: (qmail 54531 invoked from network); 5 May 2010 22:00:07 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 5 May 2010 22:00:07 -0000 Received: (qmail 52926 invoked by uid 500); 5 May 2010 22:00:06 -0000 Delivered-To: apmail-incubator-shiro-dev-archive@incubator.apache.org Received: (qmail 52908 invoked by uid 500); 5 May 2010 22:00:06 -0000 Mailing-List: contact shiro-dev-help@incubator.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: shiro-dev@incubator.apache.org Delivered-To: mailing list shiro-dev@incubator.apache.org Received: (qmail 52900 invoked by uid 99); 5 May 2010 22:00:06 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 May 2010 22:00:06 +0000 X-ASF-Spam-Status: No, hits=0.7 required=10.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.160.47] (HELO mail-pw0-f47.google.com) (209.85.160.47) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 05 May 2010 22:00:00 +0000 Received: by pwj5 with SMTP id 5so2360289pwj.6 for ; Wed, 05 May 2010 14:59:38 -0700 (PDT) MIME-Version: 1.0 Received: by 10.140.251.8 with SMTP id y8mr6166202rvh.231.1273096778513; Wed, 05 May 2010 14:59:38 -0700 (PDT) Sender: les.hazlewood@anjinllc.com Received: by 10.140.131.21 with HTTP; Wed, 5 May 2010 14:59:38 -0700 (PDT) In-Reply-To: <201005051204.05981.eskatos@n0pe.org> References: <201005051204.05981.eskatos@n0pe.org> Date: Wed, 5 May 2010 14:59:38 -0700 X-Google-Sender-Auth: 51647133e2a7f933 Message-ID: Subject: Re: X509Certificate support From: Les Hazlewood To: shiro-dev@incubator.apache.org Content-Type: text/plain; charset=UTF-8 X-Virus-Checked: Checked by ClamAV on apache.org Hi Paul, First let me say that this is really cool - thanks so much for considering to contribute! As far as the deliverable - any way you want to do it is perfectly fine. My personal opinion is that it is actually easier to work with a patch (even if it is kind of big) rather than a separate project. A separate project would require us to manually move code from one project to another, whereas if it is a patch applied to the existing codebase, we can rely on our IDEs to refactor and move stuff around. I'd probably just create a new package like org.apache.shiro.x509 or something like that, and then we can move those classes into respective packages later if that makes sense. But of course, we'd appreciate the submission in any form that makes it easy for you to do so. The best way to submit whatever deliverable that you choose is attach it to a Jira issue. That qualifies it as a valid ASF contribution. But if you think you might be working on this stuff a little more regularly, you'll want to ensure that the ASF has a CLA (Contributor License Agreement) on file. Otherwise the attachment will be fine! Anyway, I'm looking forward to it! - Les On Wed, May 5, 2010 at 3:04 AM, Paul Merlin wrote: > Hi, > > For my own needs I wrote support of X509Certificate mutual authentication for > shiro and I will contribute it back. > > I implemented several CredentialMatchers : > - DN matching (but I think this is the poor's man mutual authentication as it > opens security vulnerabilities) > - certificate fingerprint matching (more robust IMHO) > - full PKIX path validation using a trusted certificates collection provided by > the underling realm (really nice if you have several authorities and a complex > security model) > > All theses are working fine. > > Obviously some code in my current implementation is a bit specific but I think > that with some more work it will be usable as a generic implementation. > > All this needs several classes, so I think about extracting the code from my > project, packaging it as a standalone project depending on shiro so that it's > easily testable without applying a complex patch. Les, do you have any > suggestions about this ? > > Cheers > > /Paul > > >