[security-dev] Undertow / IdentityManager and Digest Authentication

Bill Burke bburke at redhat.com
Wed May 1 18:46:04 EDT 2013

On 5/1/2013 6:01 PM, Shane Bryzak wrote:
>> Sure you can implement it.  I think we've proved with JAAS that you can
>> basically hack whatever you need.  But What you're describing Shane is a
>> hack to get around the inadequacies of the IDM API.
> How is it a hack to use an SPI for the very purpose that it was designed
> for?

Sure it is.  Basically you're advocating ignoring the contract of the 
IdentityManager.validateCredentials() method.  That method is for 
validating a credential.  Not for creating a credential.

> What our disagreement boils down to is whether or not we should be
> exposing the raw/secret credential values via the IdentityManager API.
> We could continue going back and forth with essentially the same
> arguments but so far neither of us seem to be swayed one way or the
> other - what I'd like is to hear some opinions from some other people.
> Should we or should we not be making user credentials queryable?

It is just completely frustrating on my end because you keep saying you 
don't want to expose raw/secret credential values, and yet, you state 
things like you want to be able to register Handlers at the application 
level.  Once an application can register a Handler, what is stopping it 
from getting access to the raw/secret credential?  Nothing...  So, 
instead of writing simple code that queries for a secret then performs a 
hash, I have to go through the hoops of creating a handler and 
registering it.  Complexity for no gain...

Bill Burke
JBoss, a division of Red Hat

More information about the security-dev mailing list