[security-dev] Resteasy authentication
darran.lofthouse at jboss.com
Wed Nov 28 10:01:02 EST 2012
Just catching up on some threads before getting back to some HTTP
On 11/26/2012 09:38 PM, Bill Burke wrote:
> * Browser-based clients can't negotiate
That is not completely true - there is a limited level of negotiation
within browsers as HTTP already supports multiple mechanisms concurrently.
Within AS7 and Remoting for SASL we provide the client with a list of
supported mechanism, the client chooses one mechanism - tries to auth,
fails and then tries the next mechanism on the list. It is true that
this sequence is not possible within HTTP.
However for the HTTP authenticators I am currently working instead of
sending the client the simple list we send them a response containing a
challenge for each supported mechanism - the browser then chooses which
mechanism it supports and uses it to respond to the challenge.
> * client-cert auth is just completely different than other auth
> mechanisms as is part of the socket connection set up, and nothing to do
> with HTTP
Combining client-cert auth with other http mechanisms is more about
prioritising the order we make the decisions regarding authenticating so
checking if there is a client certificate available on the connection
that we can use to authenticate before we make the decision to send the
> * Any negotiation protocol sounds like it would be proprietary, so why
> not define our own auth protocols to begin with?
> IMO, we paint a vision, implement something very specific for that
> vision, then, later on worry about the ugly-soup of protocols that would
> need to be integrated.
More information about the security-dev