jsr375-experts@javaee-security-spec.java.net

[jsr375-experts] Re: Current IdentityStore Propsal

From: arjan tijms <arjan.tijms_at_gmail.com>
Date: Tue, 26 Jan 2016 14:25:23 +0100

On Tue, Jan 26, 2016 at 2:04 PM, Darran Lofthouse <
darran.lofthouse_at_redhat.com> wrote:
>
> As a bare minimum I think we should verify the known existing HTTP
> authentication mechanisms can be covered.
>

I agree, that's also why I started with the BasicAuthenticationMechanism.
See
https://github.com/arjantijms/mechanism-to-store-x/blob/master/jsr375/src/main/java/org/glassfish/jsr375/mechanisms/BasicAuthenticationMechanism.java

It's not that we by all means needed that, but it functions as the most
minimum of proofs that the API could at least do something.

I intended to implement the other Servlet mechanisms (FORM, DIGEST, CLIENT)
next. I found in the past btw that the simple FORM with the exact semantics
as stipulated by the Servlet spec is often surprisingly difficult/laborious
to implement

With "HTTP authentication mechanisms" did you meant just these, or also
HTTP SCRAM? To be honest, I have to read up on SCRAM to see how it exactly
works.



> I agree about the low hanging fruit - I will have a look and see if I can
> propose something to evolve it slightly.


Okay, cool! The very latest version is still in my own branch, but I like
to merge that soon into the security EG repo. I've largely based it on the
discussions we had on this list earlier.

Kind regards,
Arjan Tijms