Hi, For my own needs I wrote support of X509Certificate mutual authentication for shiro and I will contribute it back.
I implemented several CredentialMatchers : - DN matching (but I think this is the poor's man mutual authentication as it opens security vulnerabilities) - certificate fingerprint matching (more robust IMHO) - full PKIX path validation using a trusted certificates collection provided by the underling realm (really nice if you have several authorities and a complex security model) All theses are working fine. Obviously some code in my current implementation is a bit specific but I think that with some more work it will be usable as a generic implementation. All this needs several classes, so I think about extracting the code from my project, packaging it as a standalone project depending on shiro so that it's easily testable without applying a complex patch. Les, do you have any suggestions about this ? Cheers /Paul
