yes, but this is not true for digest auth. there are actually very few client environments
that fully support digest out of the box.
so i would say, this argument doesn't count as digest is not any less complicated to
use then any other more sophisticated auth mechanism.
I agree to the TLS argument: for most other auth mechanisms i looked at it seems to be
requirement indeed.
But can you elaborate why we cannot ship certificates (out of the box) that need to be
replaced in production environments?
this would give us TLS and push the need to custom certificate creation beyond the
out-of-the-box scenario.
On 10 Dec 2013, at 19:00, Darran Lofthouse <darran.lofthouse(a)jboss.com> wrote:
The next issue is that by using standard HTTP authentication
mechanisms standard APIs can be used in many programming languages to actually call the
management interface without needing to know about alternative authentication schemes.