[security-dev] Resteasy authentication

Bill Burke bburke at redhat.com
Mon Nov 26 16:38:24 EST 2012 

Don't know anything about SASL.  I do like the idea of negotiation, but 
am not sure it can work.  There's just so many parts to consider:

* Browser-based clients can't negotiate
* client-cert auth is just completely different than other auth 
mechanisms as is part of the socket connection set up, and nothing to do 
with HTTP
* Any negotiation protocol sounds like it would be proprietary, so why 
not define our own auth protocols to begin with?

IMO, we paint a vision, implement something very specific for that 
vision, then, later on worry about the ugly-soup of protocols that would 
need to be integrated.

On 11/22/2012 8:48 AM, Pedro Igor Silva wrote:
> Hi Bill,
>
>     What do you think about having something like the SASL Mechanism Negotiation for JAX-RS ?
>
>     For example, we can have a Authentication Service (JAX-RS Endpoint) that knows how to negotiate the different supported authentication mechanisms using JSON objects during this interaction.
>
>     Example:
>
>         1) Client requests authentication (possibly implicitly by connecting to the server)
>         2) Server responds with a list of supported mechanisms using a specific JSON format. The JSON tells which mechanisms are supported and also details about how to use them.
>         3) Client chose one of the mechanisms.
>         4) Client uses the information returned by the server to send an authentication request based on the expected format for the mechanism he did choose. Maybe the format can be mapped to a specific credential type (like we have in PicketBox 5).
>         5) Client and server then exchange data, one round-trip at a time, until authentication either succeeds or fails.
>
> Regards.
> Pedro Igor
>
> ----- Original Message -----
> From: "Bill Burke" <bburke at redhat.com>
> To: security-dev at lists.jboss.org, "Jay Balunas" <jbalunas at redhat.com>, "Douglas Campos" <qmx at qmx.me>, abstractj at redhat.com
> Sent: Wednesday, November 21, 2012 7:49:30 PM
> Subject: [security-dev] Resteasy authentication
>
> Here's what I'm doing for a Restasy authentication solution (and how it
> relates to Picketlink).
>
> http://bill.burkecentral.com/2012/11/21/scoping-out-resteasy-skeleton-key-security/
>
>
> I should have something by Christmas that everybody can try out.
> Probably sooner.
>
> Have a nice Thanksgiving everybody.
>
> Bill
>

-- 
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com

More information about the security-dev mailing list