tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <>
Subject Re: I have some new FormAuthenticator code for Tomcat.
Date Mon, 27 Jun 2005 19:50:26 GMT
Mark Thomas wrote:
> I am -1 for this for the following reasons (in order of importance):
> 1. Your reference to sending an encrypted user certificate file to the 
> server demonstrates a lack of understanding of PKI that undermines my 
> confidence that you know what you are doing when it comes to security.
> 2. JAAS provides plug-in authentication.
> 3. Password hashing is already supported.
> 4. The implementation is Tomcat specific and hence is non-portable.

I agree with the arguments. I'll be the first to admit, however, that 
FORM (and the other auth methods from the spec) are insufficient and not 
flexible enough, and I am not completely against adding additional 
custom auth-methods.


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message