shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Merlin <>
Subject Re: X509Certificate support
Date Wed, 30 Jun 2010 07:07:13 GMT
Le mercredi 30 juin 2010 00:05:07, Les Hazlewood a écrit :
> Circling back to this - is there a way to have an X.509 realm that
> does not require BouncyCastle?  I haven't looked at the patch yet
> myself to verify this (I'll check it out sometime this week if I have
> time).  I'm not necessarily against having a new 3rd party module for
> bouncycastle if the community feels this is needed, but my personal
> preference is to avoid that if there is a reasonably clean way of
> supporting X.509 without it.
> Les

Hi Les,

Glad you found time to get back to this thread :)

As I wrote a while back, I implemented 3 Credential Matching Strategies. Only 
the third one requires Bouncy Castle as dependency.

Le mercredi 05 mai 2010 12:04:05, Paul Merlin a écrit :
> I implemented several CredentialMatchers :
> - DN matching (but I think this is the poor's man mutual authentication as
> it opens security vulnerabilities)
> - certificate fingerprint matching (more robust IMHO)
> - full PKIX path validation using a trusted certificates collection
> provided by the underling realm (really nice if you have several
> authorities and a complex security model)

We can imagine put only this in a separate module and have basic X.509 support 
in shiro-web.



View raw message