Scott M Stark wrote: >> ... >> > No, java.security.MessageDigest is standard in JDK 1.3. MACs are part > of JCA. You add new digest algorithms by supplying a MessageDigestSpi > implementation and registering it using the standard security provider > mechanism.
OK. I think we're talking at cross purposes and saying the same thing. I wasn't talking about whether to use MessageDigest or whether it was available in the standard JDK - I thought you were talking about making use of the Spi stuff directly. I probably shouldn't come home at 6am and read my mail :). When I last used this stuff extensively, the part that was exportable and came with the JDK was called the JCA (and included MessageDigest), the non-exportable javax.crypto.* stuff was the JCE (which includes MACs). > Formatting the digest into a string is another dimension that > we would have to provide. The hash algorithm should be one login module > option, and the representation of the digest another. This should include > 'raw' for the raw digest byte[], 'base64' and 'hex'. > Won't the 'raw' option cause problems with the current interfaces which all use Strings? >>> >>You mean >> >>a) check on each invocation and only crack up if a method is called >>which doesn't have a corresponding proxy method >> >>rather than >> >>b) check for all methods on initialization (when constructing the method >>maps) and throw an exception if the proxy doesn't match. >> >> > a, b and c) 'only validate invocations that have a corresponding proxy > method and > allow all others' should be the behaviors configurable based on a > checkPolicy attribute of the interceptor. I was envisaging that it would just be an on or off "strict" flag in AbstractSecurityProxy with "on" being b) and "off" being "c", with the default being "on". If you're expected to provide your own proxy implementation by subclassing this, then you would set the flag there, and could provide more complex behaviour if you wanted. I don't see how you could configure the security proxy interceptor or pass such information to the proxy without a lot of changes. And it seems like excessive extra configuration information for such a small difference. Luke. -- Luke Taylor. Monkey Machine Ltd. PGP Key ID: 0x57E9523C http://www.mkeym.com _______________________________________________ Jboss-development mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/jboss-development