Re: [security-dev] Undertow / IdentityManager and Digest Authentication
On 5/1/2013 6:01 PM, Shane Bryzak wrote:
> Sure you can implement it. I think we've proved with JAAS
that you can
> basically hack whatever you need. But What you're describing Shane is a
> hack to get around the inadequacies of the IDM API.
How is it a hack to use an SPI for the very purpose that it was designed
for?
Sure it is. Basically you're advocating ignoring the contract of the
IdentityManager.validateCredentials() method. That method is for
validating a credential. Not for creating a credential.
What our disagreement boils down to is whether or not we should be
exposing the raw/secret credential values via the IdentityManager API.
We could continue going back and forth with essentially the same
arguments but so far neither of us seem to be swayed one way or the
other - what I'd like is to hear some opinions from some other people.
Should we or should we not be making user credentials queryable?
It is just completely frustrating on my end because you keep saying you
don't want to expose raw/secret credential values, and yet, you state
things like you want to be able to register Handlers at the application
level. Once an application can register a Handler, what is stopping it
from getting access to the raw/secret credential? Nothing... So,
instead of writing simple code that queries for a secret then performs a
hash, I have to go through the hoops of creating a handler and
registering it. Complexity for no gain...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com