[security-dev] Resteasy authentication

[Darran Lofthouse]

Just catching up on some threads before getting back to some HTTP 
authentication myself.

On 11/26/2012 09:38 PM, Bill Burke wrote:
> * Browser-based clients can't negotiate

That is not completely true - there is a limited level of negotiation 
within browsers as HTTP already supports multiple mechanisms concurrently.

Within AS7 and Remoting for SASL we provide the client with a list of 
supported mechanism, the client chooses one mechanism - tries to auth, 
fails and then tries the next mechanism on the list.  It is true that 
this sequence is not possible within HTTP.

However for the HTTP authenticators I am currently working instead of 
sending the client the simple list we send them a response containing a 
challenge for each supported mechanism - the browser then chooses which 
mechanism it supports and uses it to respond to the challenge.

> * client-cert auth is just completely different than other auth
> mechanisms as is part of the socket connection set up, and nothing to do
> with HTTP

Combining client-cert auth with other http mechanisms is more about 
prioritising the order we make the decisions regarding authenticating so 
checking if there is a client certificate available on the connection 
that we can use to authenticate before we make the decision to send the 
challenges.

> * Any negotiation protocol sounds like it would be proprietary, so why
> not define our own auth protocols to begin with?
>
> IMO, we paint a vision, implement something very specific for that
> vision, then, later on worry about the ugly-soup of protocols that would
> need to be integrated.