I know of another JSecurity X509 Realm, although the implementation was specific MIT's single sign on server. So I think extracting any common pieces would be great, even if it ends up in its own module i.e. shiro-x509
On Wed, May 5, 2010 at 6:04 AM, Paul Merlin <[email protected]> wrote: > Hi, > > For my own needs I wrote support of X509Certificate mutual authentication > for > shiro and I will contribute it back. > > I implemented several CredentialMatchers : > - DN matching (but I think this is the poor's man mutual authentication as > it > opens security vulnerabilities) > - certificate fingerprint matching (more robust IMHO) > - full PKIX path validation using a trusted certificates collection > provided by > the underling realm (really nice if you have several authorities and a > complex > security model) > > All theses are working fine. > > Obviously some code in my current implementation is a bit specific but I > think > that with some more work it will be usable as a generic implementation. > > All this needs several classes, so I think about extracting the code from > my > project, packaging it as a standalone project depending on shiro so that > it's > easily testable without applying a complex patch. Les, do you have any > suggestions about this ? > > Cheers > > /Paul > > >
