Hi Paul, > As I wrote a while back, I implemented 3 Credential Matching Strategies. Only > the third one requires Bouncy Castle as dependency.
Nice! >> I implemented several CredentialMatchers : >> - DN matching (but I think this is the poor's man mutual authentication as >> it opens security vulnerabilities) >> - certificate fingerprint matching (more robust IMHO) >> - full PKIX path validation using a trusted certificates collection >> provided by the underling realm (really nice if you have several >> authorities and a complex security model) > > We can imagine put only this in a separate module and have basic X.509 support > in shiro-web. > > WDYT ? +1 Since this would be purely optional, I don't have a problem adding this as a support module. We may find that we want to support some other BC things in the future, like additional Cipher Modes of Operation that aren't in the JDK by default for CipherService implementations. Anyone else have an opinion? Les
