tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Remy Maucherat <r...@apache.org>
Subject Re: I have some new FormAuthenticator code for Tomcat.
Date Mon, 27 Jun 2005 19:50:26 GMT
Mark Thomas wrote:
> I am -1 for this for the following reasons (in order of importance):
> 
> 1. Your reference to sending an encrypted user certificate file to the 
> server demonstrates a lack of understanding of PKI that undermines my 
> confidence that you know what you are doing when it comes to security.
> 2. JAAS provides plug-in authentication.
> 3. Password hashing is already supported.
> 4. The implementation is Tomcat specific and hence is non-portable.

I agree with the arguments. I'll be the first to admit, however, that 
FORM (and the other auth methods from the spec) are insufficient and not 
flexible enough, and I am not completely against adding additional 
custom auth-methods.

Rémy

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message