shiro-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Les Hazlewood <lhazlew...@apache.org>
Subject Re: X509Certificate support
Date Wed, 30 Jun 2010 16:34:51 GMT
Hi Paul,

> As I wrote a while back, I implemented 3 Credential Matching Strategies. Only
> the third one requires Bouncy Castle as dependency.

Nice!

>> I implemented several CredentialMatchers :
>> - DN matching (but I think this is the poor's man mutual authentication as
>> it opens security vulnerabilities)
>> - certificate fingerprint matching (more robust IMHO)
>> - full PKIX path validation using a trusted certificates collection
>> provided by the underling realm (really nice if you have several
>> authorities and a complex security model)
>
> We can imagine put only this in a separate module and have basic X.509 support
> in shiro-web.
>
> WDYT ?

+1

Since this would be purely optional, I don't have a problem adding
this as a support module.  We may find that we want to support some
other BC things in the future, like additional Cipher Modes of
Operation that aren't in the JDK by default for CipherService
implementations.  Anyone else have an opinion?

Les

Mime
View raw message