Re: [securityfilter-devel] Securityfilter Improvements
Brought to you by:
chris_schultz,
maxcooper
Menu
▾
▴
Re: [securityfilter-devel] Securityfilter Improvements
|
From: Christopher S. <ch...@ch...> - 2007-11-05 18:11:04
|
Torgeir,
Torgeir Veimo wrote:
> On 5 Nov 2007, at 17:12, Christopher Schultz wrote:
>=20
>> General cleanup and updates:
>>
>> * Implement user-data-constraint (really transport-guarantee)
>=20
> This would allow automatic redirection to https for login pages? We=20
> would really like to have that feature.
Exactly. Both the servlet spec and the deployment descriptor comments
contain commentary similar to this:
"In most cases, the presence of the INTEGRAL or
CONFIDENTIAL flag will indicate that the use of SSL is required."
The only problem is that we'll have to allow for additional
configuration to specify what happens when the HTTP -> HTTPS switch is
made. For instance, Tomcat has Connectors that contain the configuration
for switching to HTTPS ("redirectPort", I think). We would need to add
that type of configuration to securityfilter-config.xml (which isn't hard=
).
>> Future Ideas:
>> * Eliminate use of jakarta-oro ; regexps are overkill for url-pattern
>> matching, and oro is nearly dead (right?)
>=20
> Any dependency removed would be nice. JDK regex is much better. Most =20
> projects are 1.4 or better these days.
Well, that might need to be a requirement of the new system. Then again,
the minimal url-pattern matching requirements do no need full regular
expression capabilities. Basically, you can use String.startsWith and
String.endsWith to handle everything, and I think that will improve
performance as well as remove a library dependency.
>> * Add support for CLIENT-CERT authentication
>=20
> Sounds tricky..
It's actually not that big of a deal, I think. If we continue to follow
the model of supporting Tomcat Realms right out of the box, I think we
can get away with adding a method to the SecurityRealmInterface that is
intended to call this method in Tomcat's realm:
public Principal authenticate(X509Certificate certs[]);
It "should" be as simple as taking the cert list from the request and
passing it off to this method.
Thanks for the comments,
-chris
|
