<div dir="ltr">Looks like they weren't on the USB drive either :( I emailed Les to see if I could get a copy from him to review. I also noticed Stormpath (his security consulting company) has a ruby interface: <a href="https://github.com/stormpath">https://github.com/stormpath</a> I think this is something we should closely look into for Torquebox, Immutant and Escalante.<br>
</div><div class="gmail_extra"><br><br><div class="gmail_quote">On Sat, Feb 9, 2013 at 7:54 AM, Jason Porter <span dir="ltr"><<a href="mailto:lightguard.jp@gmail.com" target="_blank">lightguard.jp@gmail.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">I'll send it over when I get home<br>
<br>
Sent from my iPhone<br>
<div class="HOEnZb"><div class="h5"><br>
On Feb 9, 2013, at 7:44, Pete Muir <<a href="mailto:pmuir@redhat.com">pmuir@redhat.com</a>> wrote:<br>
<br>
> RWX have removed access to this presentation. Does anyone have it cached?<br>
><br>
> On 3 Dec 2012, at 13:07, Jason Porter wrote:<br>
><br>
>> Here's a PDF [1] of a session I attended at RWX this past week. Start looking at page 25 onward for some ideas on how we can better store passwords with something other than just a salted hash, it may also give us a good advantage with other competitors. If you can't get to the PDF, let me know and I'll attach it.<br>
>><br>
>> [1] <a href="http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/intro_to_application_security/Intro_to_Application_Security.pdf" target="_blank">http://therichwebexperience.com/s/slides/current/speaker/Les_Hazlewood/intro_to_application_security/Intro_to_Application_Security.pdf</a><br>
>><br>
>><br>
>> On Mon, Dec 3, 2012 at 2:37 AM, Darran Lofthouse <<a href="mailto:darran.lofthouse@jboss.com">darran.lofthouse@jboss.com</a>> wrote:<br>
>> On 12/03/2012 09:23 AM, Darran Lofthouse wrote:<br>
>>> On 12/02/2012 11:09 PM, Shane Bryzak wrote:<br>
>>>> On 12/01/2012 09:55 PM, Darran Lofthouse wrote:<br>
>>>>> * Multiple Credentials *<br>
>>>>><br>
>>>>> The validateCredential method potentially allows many different types of<br>
>>>>> Credential to be used - however the updateCredential method seems to<br>
>>>>> apply a 1:1 mapping of User and Credential.<br>
>>>>><br>
>>>>> I can see situations where a user would have multiple Credentials, an<br>
>>>>> immediate example being both a Password and a X509Certificate.<br>
>>>><br>
>>>> This is an implementation detail - all IdentityStore implementations<br>
>>>> should support the storing of multiple credential types. Out of the box<br>
>>>> we support PasswordCredential, DigestCredential and<br>
>>>> X509CertificateCredential and two separate calls to updateCredential()<br>
>>>> with different credential types should persist both credentials.<br>
>>><br>
>>> I would suggest if reviewing the Credential APIs one thing that we would<br>
>>> need to be sure of it that we can operate on the individual Credentials<br>
>>> - we may need to be choosing which one to update or remove.<br>
>>><br>
>>> Also for Certificates we may want the ability to have a new Certificate<br>
>>> set before an old one expires possibly with or without an overlap.<br>
>><br>
>> Also if looking at Certificates as I mentioned on another thread if the<br>
>> APIs from the IDM allow us to wrap it with an X509TrustManager<br>
>> implementation that would potentially provide us with the capability to<br>
>> tie in the SSL negotiation as connections are established with the<br>
>> identity store.<br>
>><br>
>> In current AS releases this can be a bit disjointed getting the two tied<br>
>> together.<br>
>><br>
>>> _______________________________________________<br>
>>> security-dev mailing list<br>
>>> <a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a><br>
>>> <a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a><br>
>> _______________________________________________<br>
>> security-dev mailing list<br>
>> <a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a><br>
>><br>
>><br>
>><br>
>> --<br>
>> Jason Porter<br>
>> <a href="http://lightguard-jp.blogspot.com" target="_blank">http://lightguard-jp.blogspot.com</a><br>
>> <a href="http://twitter.com/lightguardjp" target="_blank">http://twitter.com/lightguardjp</a><br>
>><br>
>> Software Engineer<br>
>> Open Source Advocate<br>
>><br>
>> PGP key id: 926CCFF5<br>
>> PGP key available at: <a href="http://keyserver.net" target="_blank">keyserver.net</a>, <a href="http://pgp.mit.edu" target="_blank">pgp.mit.edu</a><br>
>> _______________________________________________<br>
>> security-dev mailing list<br>
>> <a href="mailto:security-dev@lists.jboss.org">security-dev@lists.jboss.org</a><br>
>> <a href="https://lists.jboss.org/mailman/listinfo/security-dev" target="_blank">https://lists.jboss.org/mailman/listinfo/security-dev</a><br>
><br>
</div></div></blockquote></div><br><br clear="all"><br>-- <br><div dir="ltr">Jason Porter<br><a href="http://en.gravatar.com/lightguardjp" target="_blank">http://en.gravatar.com/lightguardjp</a><br></div>
</div>