[security-dev] Undertow / IdentityManager and Digest Authentication
Bill Burke
bburke at redhat.com
Wed May 1 18:46:04 EDT 2013
On 5/1/2013 6:01 PM, Shane Bryzak wrote:
>> Sure you can implement it. I think we've proved with JAAS that you can
>> basically hack whatever you need. But What you're describing Shane is a
>> hack to get around the inadequacies of the IDM API.
>
> How is it a hack to use an SPI for the very purpose that it was designed
> for?
>
Sure it is. Basically you're advocating ignoring the contract of the
IdentityManager.validateCredentials() method. That method is for
validating a credential. Not for creating a credential.
>
> What our disagreement boils down to is whether or not we should be
> exposing the raw/secret credential values via the IdentityManager API.
> We could continue going back and forth with essentially the same
> arguments but so far neither of us seem to be swayed one way or the
> other - what I'd like is to hear some opinions from some other people.
> Should we or should we not be making user credentials queryable?
It is just completely frustrating on my end because you keep saying you
don't want to expose raw/secret credential values, and yet, you state
things like you want to be able to register Handlers at the application
level. Once an application can register a Handler, what is stopping it
from getting access to the raw/secret credential? Nothing... So,
instead of writing simple code that queries for a secret then performs a
hash, I have to go through the hoops of creating a handler and
registering it. Complexity for no gain...
--
Bill Burke
JBoss, a division of Red Hat
http://bill.burkecentral.com
More information about the security-dev
mailing list