Le mercredi 30 juin 2010 00:05:07, Les Hazlewood a écrit : > Circling back to this - is there a way to have an X.509 realm that > does not require BouncyCastle? I haven't looked at the patch yet > myself to verify this (I'll check it out sometime this week if I have > time). I'm not necessarily against having a new 3rd party module for > bouncycastle if the community feels this is needed, but my personal > preference is to avoid that if there is a reasonably clean way of > supporting X.509 without it. > > Les
Hi Les, Glad you found time to get back to this thread :) As I wrote a while back, I implemented 3 Credential Matching Strategies. Only the third one requires Bouncy Castle as dependency. Le mercredi 05 mai 2010 12:04:05, Paul Merlin a écrit : > I implemented several CredentialMatchers : > - DN matching (but I think this is the poor's man mutual authentication as > it opens security vulnerabilities) > - certificate fingerprint matching (more robust IMHO) > - full PKIX path validation using a trusted certificates collection > provided by the underling realm (really nice if you have several > authorities and a complex security model) We can imagine put only this in a separate module and have basic X.509 support in shiro-web. WDYT ? /Paul
