I totally agree - it'd be great to see what that Realm did and see if there is synergy with Paul's work. Brian, do you know if that Realm could be donated to the project? Is it available online somewhere (e.g. under the MIT license?).
- Les On Wed, May 5, 2010 at 7:12 AM, Brian Demers <[email protected]> wrote: > I know of another JSecurity X509 Realm, although the implementation > was specific MIT's single sign on server. So I think extracting any common > pieces would be great, even if it ends up in its own module i.e. shiro-x509 > > > On Wed, May 5, 2010 at 6:04 AM, Paul Merlin <[email protected]> wrote: > >> Hi, >> >> For my own needs I wrote support of X509Certificate mutual authentication >> for >> shiro and I will contribute it back. >> >> I implemented several CredentialMatchers : >> - DN matching (but I think this is the poor's man mutual authentication as >> it >> opens security vulnerabilities) >> - certificate fingerprint matching (more robust IMHO) >> - full PKIX path validation using a trusted certificates collection >> provided by >> the underling realm (really nice if you have several authorities and a >> complex >> security model) >> >> All theses are working fine. >> >> Obviously some code in my current implementation is a bit specific but I >> think >> that with some more work it will be usable as a generic implementation. >> >> All this needs several classes, so I think about extracting the code from >> my >> project, packaging it as a standalone project depending on shiro so that >> it's >> easily testable without applying a complex patch. Les, do you have any >> suggestions about this ? >> >> Cheers >> >> /Paul >> >> >> >
