Mark Thomas wrote:
I am -1 for this for the following reasons (in order of importance):
1. Your reference to sending an encrypted user certificate file to the
server demonstrates a lack of understanding of PKI that undermines my
confidence that you know what you are doing when it comes to security.
2. JAAS provides plug-in authentication.
3. Password hashing is already supported.
4. The implementation is Tomcat specific and hence is non-portable.
I agree with the arguments. I'll be the first to admit, however, that
FORM (and the other auth methods from the spec) are insufficient and not
flexible enough, and I am not completely against adding additional
custom auth-methods.
Rémy
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]